RAC2V2S Sagemcom F@ST5280 Firmware extraction Help

For Developers
1

Hello,

I am just now learning to code and hardware hack. Lots of electrical knowlege, but VERY new to code and scripts. This is my first post, I thank you in advance.

Device:
RAC2V2S
CPU: BCM4906 (rev: A0)
Model: Sagemcom F@ST5280
DRAM: 1 GiB
NAND: 256 MiB
Using default environment
CFE version 1.0.38-163.231 for BCM94908 (64bit,SP,LE)
Chip ID: BCM4906_A0, Broadcom B53 Quad Core: 1800MHz
Total Memory: 1073741824 bytes (1024MB)
Image Type: AArch64 Linux Kernel Image (gzip compressed)
Flattened Device Tree blob at 3bfc2820
Booting using the fdt blob at 0x3bfc2820
Linux version 4.1.52-5.02L.07

-The device DOES NOT have the web login, it has the "spectrum app".

After quite a bit of research I am fully aware that broadcom isnt great with opensource info and will be difficult to hack. But I have time and I am learning. So I will wage the war.

I am trying to extract the firmware and am not quite sure how to go about it.
-I have a few different serial terminal apps.
-I have OpenSSH and putty for Telnet
-I have tftp client/server setup
-I have a pl2303 serial cable
-I have python3 and vs code
-I have a windows 10 w/ ubuntu in a virtual environment
-I have a dedicated Linux box running debian/kali
-I have already accessed the serial console and pulled the console/boot log.
-I tried finding some python scripts to help me extract the image into the correct partitions with very little luck.

*** If someone could help get me moving in the right direction I would be greatly appreciated. If anyone has any good links of websites or videos to watch/ research I would be very interested in that too.

Console/Boot log

=> ----
BTRM
V1.6
CPU0
L1CD
MMUI
MMU7
DATA
ZBBS
MAIN
OTP?
OTPP
USBT
NAND
IMG?
IMGL
UHD?
UHDP
RLO?
RLOP
UBI?
UBIP
PASS
----
HELO
5.0207-1.0.38-163.231
CPU0
L1CD
MMUI
MMUA
CODE
ZBBS
MAIN
SEND
Boot Strap Register:  0x6fd42
NVRAM memcfg 0x21507
MCB chksum 0xa65e0f05, config 0x21507
DDR3-1600 CL11 total 1024MB 2 8bits part[s] %1 SSC High Temperature ASR

DDR test done successfully
Version cfe-rom: 3.0.8
FPS0
J2EP


Base: 5.2_07
CFE version 1.0.38-163.231 for BCM94908 (64bit,SP,LE)
Build Date: jeudi 12 décembre 2019, 16:39:36 (UTC+0100) (g601671@rmm-p2000156fl.ads.local)
Copyright (C) 2000-2015 Broadcom Corporation.
Version cfe-ram: 3.0.8

SEND
Boot Strap Register:  0x6fd42
Chip ID: BCM4906_A0, Broadcom B53 Quad Core: 1800MHz
Total Memory: 1073741824 bytes (1024MB)
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: Spansion S34ML02G1, id 0x000001da block 128KB size 262144KB
CPU1
pmc_init:PMC using DQM mode
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernal  
Boot delay (0-9 seconds)          : 1  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Default DTB file name             :   
Board Id                          : F@ST5280  
Number of MAC Addresses (1-64)    : 10  
Base MAC Address                  : 6c:99:61:d6:45:22  
PSI Size (1-512) KBytes           : 128  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
flow memory allocation (MB)       : 14  
buffer memory allocation (MB)     : 16  
DHD 0 memory allocation (MB)      : 0  
DHD 1 memory allocation (MB)      : 0  
DHD 2 memory allocation (MB)      : 0  
WLan Feature                      : 0x00  
Partition 1 Size (MB)             :   
Partition 2 Size (MB)             :   
Partition 3 Size (MB)             :   
Partition 4 Size (MB) (Data)      : 4MB  

Initalizing switch low level hardware.
pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0. 
Software Resetting Switch ... Done.
Waiting MAC port Rx/Tx to be enabled by hardware ...Done
Disable Switch All MAC port Rx/Tx
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Initializing UBI and starting U-Boot...
Looking for UBI...
Looking for U-Boot...
Found valid GSDF
Starting U-Boot from UBI at 0x0000000000080000


U-Boot 2017.09@sc-0.86.10 (Dec 12 2019 - 16:42:59 +0100) sc_f5280

CPU:   BCM4906 (rev: A0)
Model: Sagemcom F@ST5280
DRAM:  1 GiB
NAND:  256 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial

Version: 2017.09@sc-0.86.10

Board: F@ST5280
Mode: standard
Boot: flags=0x00,retries=0
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=2", size 8 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 98/5, WL threshold: 4096, image sequence number: 1033775724
ubi0: available PEBs: 10, total reserved PEBs: 60, PEBs reserved for bad PEB handling: 40
Net:   brcmenet
Autoboot in 5 seconds. Press <SPACE> to abort.
sbp: check net command
sbp: boot operational
sb3: booting 'operational'
WARNING: coe-aes: AES key2 unavailable. Using default.
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=2", size 8 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 98/5, WL threshold: 4096, image sequence number: 1033775724
ubi0: available PEBs: 10, total reserved PEBs: 60, PEBs reserved for bad PEB handling: 40
Volume aes_key_operator not found!
coe-aes: Encrypted data size is 0 bytes
Volume aes_key_operator not found!
ERROR: coe-aes: Failed to read UBI volume aes_key_operator
ERROR: coe-aes: Failed to load data
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=3", size 191 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 1530, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 179/16, WL threshold: 4096, image sequence number: 20314775
ubi0: available PEBs: 536, total reserved PEBs: 994, PEBs reserved for bad PEB handling: 40
sb3: loaded image 'operational' (27176928 bytes) at 0x0000000001000000
sb3: image 'operational' type is 'gsdf'
sb3: image 'operational' signature is OK
sb3: no pre-boot command found
WARNING: sb3: failed to build CoE args
sb3: found FDT in image 'operational'
sb3: NVRAM inserted in FDT
sb3: CFE version inserted in FDT
sb3: BLPARMS inserted in FDT
sb3: disabling ethernet driver
## Booting kernel from Legacy Image at 0101f000 ...
   Image Name:   scOS 2.0.6_prod (OS2.4_15.0)
   Image Type:   AArch64 Linux Kernel Image (gzip compressed)
   Data Size:    4456448 Bytes = 4.3 MiB
   Load Address: 00080000
   Entry Point:  00080000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 3bfc2820
   Booting using the fdt blob at 0x3bfc2820
   Uncompressing Kernel Image ... OK
   reserving fdt memory region: addr=0 size=10000
   Loading Device Tree to 000000000ffec000, end 000000000fffefff ... OK

Starting kernel ...

Booting Linux on physical CPU 0x0
Linux version 4.1.52-5.02L.07 (builder@b80c4af2f9b9) (gcc version 5.5.0 (crosstool-NG crosstool-ng-1.23.0-317-g85b86d8) ) #1 SMP PREEMPT Sat Mar 5 02:12:31 UTC 2022
CPU: AArch64 Processor [420f1000] revision 0
Detected VIPT I-cache on CPU0
alternatives: enabling workaround for ARM erratum 845719
Reserved memory: reserved region for node 'dt_reserved_rdp1': base 0x0000000007000000, size 64 MiB
Reserved memory: reserved region for node 'dt_reserved_rdp2': base 0x0000000004400000, size 44 MiB
Reserved memory: reserved region for node 'dt_reserved_dhd0': base 0x000000000be00000, size 14 MiB
Reserved memory: reserved region for node 'dt_reserved_dhd1': base 0x000000000b000000, size 14 MiB
Reserved memory: failed to reserve memory for node 'dt_reserved_dhd2': base 0x0000000000000000, size 0 MiB
On node 0 totalpages: 243712
  DMA zone: 3332 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 243712 pages, LIFO batch:31
PERCPU: Embedded 16 pages/cpu @ffffffc03ffb0000 s24984 r8192 d32360 u65536
pcpu-alloc: s24984 r8192 d32360 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 240380
Kernel command line: root=mtd:rootfs earlyprintk debug init=/etc/preinit ro rootfstype=squashfs console=ttyS0,115200 rootfs_offset=0x47b000 rootfs_size=0x156f000 coherent_pool=1M init=/etc/preinit rw mtdparts=brcmnand.0:128k(nvram),640k(cfe),8960k(boot),195840k(ubi),-(data) ubi.mtd=ubi,0 part_main=ubi part_boot=boot image_ubivol=operational board_type=00030080
UBI image volume: "operational"
log_buf_len individual max cpu contribution: 4096 bytes
log_buf_len total cpu_extra contributions: 12288 bytes
log_buf_len min size: 16384 bytes
log_buf_len: 32768 bytes
early log buf free: 14256(87%)
PID hash table entries: 4096 (order: 3, 32768 bytes)
Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)
Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)
Memory: 883792K/974848K available (4999K kernel code, 1837K rwdata, 1680K rodata, 228K init, 413K bss, 91056K reserved, 0K cma-reserved)
Virtual kernel memory layout:
    vmalloc : 0xffffff8000000000 - 0xffffffbdffff0000   (   247 GB)
    vmemmap : 0xffffffbe00000000 - 0xffffffbfc0000000   (     7 GB maximum)
              0xffffffbe00000000 - 0xffffffbe00e00000   (    14 MB actual)
    fixed   : 0xffffffbffabfd000 - 0xffffffbffac00000   (    12 KB)
    PCI I/O : 0xffffffbffae00000 - 0xffffffbffbe00000   (    16 MB)
    modules : 0xffffffbffc000000 - 0xffffffc000000000   (    64 MB)
    memory  : 0xffffffc000000000 - 0xffffffc040000000   (  1024 MB)
      .init : 0xffffffc000707000 - 0xffffffc000740000   (   228 KB)
      .text : 0xffffffc000080000 - 0xffffffc000706764   (  6682 KB)
      .data : 0xffffffc000741000 - 0xffffffc00090c7c0   (  1838 KB)
Preemptible hierarchical RCU implementation.
NR_IRQS:64 nr_irqs:64 0
Architected cp15 timer(s) running at 50.00MHz (phys).
clocksource arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb8812736b, max_idle_ns: 440795202655 ns
sched_clock: 56 bits at 50MHz, resolution 20ns, wraps every 4398046511100ns
BRCM Legacy Drivers' Helper, all legacy drivers' IO memories/interrupts should be remapped here
     Remapping interrupts...
             hwirq      virq
               50         5
               61         6
               64         7
               66         8
               77         9
               78        10
               79        11
               80        12
               81        13
               82        14
               83        15
               84        16
               85        17
               86        18
               88        19
               96        20
               97        21
               98        22
               99        23
              118        24
              119        25
              106        26
              104        27
              105        28
               76        29
              120        30
              110        31
              148        32
              154        33
              155        34
              156        35
              157        36
              158        37
              159        38
               69        39
     Remapping IO memories...
             phys              virt          size
       00000000ff800000  ffffff8000008000  00003000
       00000000ff858000  ffffff800000c000  00003000
       00000000ffe00000  ffffff8000080000  00100000
       0000000080002000  ffffff8000002000  00001000
       0000000080018000  ffffff8000010000  00004000
       0000000080200000  ffffff8000018000  00005000
       0000000080280000  ffffff8000016000  00001000
       0000000082200000  ffffff8000200000  00100000
       0000000080080000  ffffff8000380000  00050000
       0000000080008000  ffffff8000020000  00003fff
       000000008000c000  ffffff8000028000  00003fff
       0000000081060000  ffffff8000030000  00004000
       0000000080100000  ffffff8000038000  00002000
       0000000080010000  ffffff800001e000  00001000
console [ttyS0] enabled
Calibrating delay loop (skipped), value calculated using timer frequency.. 100.00 BogoMIPS (lpj=500000)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 2048 (order: 2, 16384 bytes)
Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes)
--Kernel Config--
  SMP=1
  PREEMPT=1
  DEBUG_SPINLOCK=0
  DEBUG_MUTEXES=0
Error:incomplete rsvd mem entry base 0 size 0 for dt_reserved_dhd2
Do not need to create mapping for reserved memory phys 0x0000000007000000 virt 0xffffffc007000000 size 0x04000000 for rdp1
creating mapping for reserved memory phys 0x0000000004400000 virt 0xffffffc004400000 size 0x02c00000 for rdp2
creating mapping for reserved memory phys 0x000000000be00000 virt 0xffffffc00be00000 size 0x00e00000 for dhd0
creating mapping for reserved memory phys 0x000000000b000000 virt 0xffffffc00b000000 size 0x00e00000 for dhd1
pmc_init:PMC using DQM mode
Successfully retrieved NVRAM data from dtb
����������: 255.255.255-255.255
CPU1: Booted secondary processor
Detected VIPT I-cache on CPU1
CPU2: failed to come online
CPU3: failed to come online
Brought up 2 CPUs
SMP: Total of 2 processors activated.
CPU: All CPU(s) started at EL2
alternatives: patching kernel code
devtmpfs: initialized
clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
futex hash table entries: 1024 (order: 4, 65536 bytes)
NET: Registered protocol family 16
cpuidle: using governor ladder
cpuidle: using governor menu
vdso: 2 pages (1 code @ ffffffc000749000, 1 data @ ffffffc000748000)
DMA: preallocated 1024 KiB pool for atomic allocations
Broadcom Logger v0.1
ACPI: Interpreter disabled.
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated
skb_free_task created successfully with start budget 256
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v1.0 initialized
Broadcom GBPM v0.1 initialized
Switched to clocksource arch_sys_counter
pnp: PnP ACPI: disabled
NET: Registered protocol family 2
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 5, 131072 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
UDP hash table entries: 512 (order: 2, 16384 bytes)
UDP-Lite hash table entries: 512 (order: 2, 16384 bytes)
NET: Registered protocol family 1
PCI: CLS 0 bytes, default 64
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
fuse init (API version 7.23)
io scheduler noop registered (default)
brd: module loaded
loop: module loaded
nand: device found, Manufacturer ID: 0x01, Chip ID: 0xda
nand: AMD/Spansion S34ML02G2
nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 128
bcm63xx_nand ff801800.nand: Adjust timing_1 to 0x65324458 timing_2 to 0x80040e54
bcm63xx_nand ff801800.nand: detected 256MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, BCH-4
Bad block table found at page 131008, version 0x01
Bad block table found at page 130944, version 0x01
Part[0] name=rootfs, size=20000, ofs=0
Part[1] name=rootfs_update, size=a0000, ofs=20000
Part[2] name=ubi, size=7a40000, ofs=c0000
Part[3] name=data, size=0, ofs=0
Part[4] name=nvram, size=0, ofs=0
5 cmdlinepart partitions found on MTD device brcmnand.0
Creating 5 MTD partitions on "brcmnand.0":
0x000000000000-0x000000020000 : "nvram"
0x000000020000-0x0000000c0000 : "cfe"
0x0000000c0000-0x000000980000 : "boot"
0x000000980000-0x00000c8c0000 : "ubi"
0x00000c8c0000-0x000010000000 : "data"
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
NET: Registered protocol family 24
i2c /dev entries driver
bcm96xxx-wdt ff800428.watchdog: Broadcom BCM96xxx watchdog timer
brcmboard registered
brcmboard: brcm_board_init entry
print_rst_status: Last RESET due to POR reset
print_rst_status: RESET reason: 0x00000000
D%GDYING GASP IRQ Initialized and Enabled
SES: LED GPIO 0x400c is enabled
map_hw_timer_interrupt,130: interrupt_id 20
map_hw_timer_interrupt,130: interrupt_id 21
map_hw_timer_interrupt,130: interrupt_id 22
map_hw_timer_interrupt,130: interrupt_id 23
(NULL device *): Led 14 renamed to 14_1 due to name collision
Serial: BCM63XX driver $Revision: 3.00 $
Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)
ttyS0 at MMIO 0xff800640 (irq = 7, base_baud = 921600) is a BCM63XX
bcm_i2c: Error in loading module

Optical detection module loaded.
BPM: tot_mem_size=1073741824B (1024MB), buf_mem_size <15%> =161061270B (153MB), num of buffers=55924, buf size=2880
Broadcom BPM Module Char Driver v0.1 Registered<304>
[NTC bpm] bpm_module_init: tot_mem_pool=2542 mem_idx:2542

Using the HELP command I was able to get this information

Just the facts

Base Address: 0x00000000
VID header offset: 2048 (aligned 2048), data offset: 4096

                 ulNandPartOfsKb (offset)    ulNandPartSizeKb (size)
[NP_BOOT=0]:     0x00000000  (0x00000000)    0x00000300  (   768 kB)
[NP_ROOTFS_1=1]: 0x00000300  (0x000c0000)    0x0001f480  (128128 kB)
[NP_ROOTFS_2=2]: 0x0001f780  (0x07de0000)    0x0001f480  (128128 kB)
[NP_DATA=3]:     0x0003ec00  (0x0fb00000)    0x00001000  (  4096 kB)
[NP_BBT=4]:      0x0003fc00  (0x0ff00000)    0x00000400  (  1024 kB)

alloc_rdp:          param1_size=16, param2_size=14

arch_number = 0x00000000
boot_params = 0x00000000
DRAM bank   = 0x00000000
-> start    = 0x00000000
-> size     = 0x40000000
eth0name    = brcmenet
ethaddr     = 
current eth = brcmenet
ip_addr     = 192.168.1.1
baudrate    = 115200 bps
TLB addr    = 0x3FF70000
relocaddr   = 0x3FEDD000
reloc off   = 0x3FE5D000
irq_sp      = 0x3BEDADE0
sp start    = 0x3BEDADE0
fdt_blob = 000000003ff519c0
sbp tags    = 0x3FF80000

Device 0: nand0, sector size 128 KiB
  Page size       2048 b
  OOB size          64 b
  Erase size    131072 b
  subpagesize     2048 b
  options     0x40100200
  bbt options 0x00068000
  
  => ubi info
UBI: MTD device name:            "mtd=2"
UBI: MTD device size:            8 MiB
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: number of good PEBs:        70
UBI: number of bad PEBs:         0
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     4
UBI: available PEBs:             10
UBI: total number of reserved PEBs: 60
UBI: number of PEBs reserved for bad PEB handling: 40
UBI: max/mean erase counter: 98/5

md [.b, .w, .l, .q] address [# of objects]
=> md help
00000000: 1400058a d503201f 0000fff8 00000000    ..... ..........
00000010: 02faf080 00000000 81062000 00000000    ......... ......
00000020: 010412a8 00000000 43505530 00000000    ........0UPC....
00000030: 30c50830 00000000 81001000 00000000    0..0............
00000040: 81002000 00000000 f81f0ffe 94011a1b    . ..............
00000050: f84107fe d65f03c0 910003e0 d65f03c0    ..A..._......._.
00000060: aa0003f8 d53b4224 b2400424 d51b4224    ....$B;.$.@.$B..
00000070: 52800000 97fffff5 940119a7 94011be8    ...R............
00000080: 94011984 94011a65 58000a80 b9400001    ....e......X..@.
00000090: 340001c1 d51c111f aa1803e4 58000a20    ...4........ ..X
000000a0: 94011a59 e3a00000 e59f1010 e3a02c01    Y............,..
000000b0: e59f300c e1a00000 e1a0f004 00f00068    .0..........h...
000000c0: 00002709 43464531 58000900 94011a43    .'..1EFC...XC...
000000d0: d2a01e00 aa1f03e1 aa1f03e2 aa1f03e3    ................
000000e0: d61f0300 d53e1001 927df821 927ff821    ......>.!.}.!...
000000f0: 9273f821 d51e1001 d5033fdf d2800006    !.s......?......

The python script I found is NOT for this device. I found it for another router and I just finished a 10 hour python course but I still am not sure how to change it to match my needs.

import coloredlogs
import logging
import serial
from pexpect import fdpexpect

logger = logging.getLogger(__name__)
coloredlogs.install(level='DEBUG')

serial_device = '/dev/ttyUSB0'


def parsepage(pagedata):
    data = b''
    for linenum in range(0, 128):
        line = pagedata[linenum * 51: linenum * 51 + 51]
        line = line.strip()
        line = line.replace(b' ', b'')
        data += bytes.fromhex(line.decode('ascii'))

    return (data)


logger.debug("Opening Serial " + serial_device)
ser = serial.serial(serial_device, 115200)
if ser.name != serial_device:
    logger.critical("Unexpected: device " + ser.name + " != " + serial_device)
    ser.exit()
    # os.exit()

else:
    logger.debug("Device open: " + ser.name)

reader = fdpexpect.fdspawn(ser)

logger.info("Waiting for router boot sequence... (power cycle whenever)")

reader.expect("Hit any key to stop autoboot:")
logger.debug("Stopping Autoboot")
reader.sendline("")
logger.debug("Waiting for uboot prompt")
reader.expect("=> ")

with open("dump.bin", "wb") as fd:
    for pagenum in range(0, 65536):
        # gets offset of page, formats it in hex (no 0x) with leading zeroes
        page_offset = f"{pagenum*2048:08x}"
        logger.debug("Dumping page  " + str(pagenum) +
                     " (" + page_offset + ")")
        reader.sendline("nand dump " + page_offset)
        reader.expect("Page " + page_offset + " dump:/r/n/t")
        pagedata = reader.read(6527)
        fd.write(parsepage(pagedata))

Since this was all dumped as one file, he had to write another script to partition it correctly. Again, this is ALSO not for my device. But using it as a starting/point.

-At the top, I listed his partition info
-I listed his commands, which I commented out
-At the bottom I listed my partition info.

# This is an example, NOT MY ACTUAL FLASH DRIVE OR SIZES!!

# 0x000000000000-0x000002000000 : "u-boot"
# 0x000002000000-0x000006000000 : "others"
# 0x000006000000-0x00000a000000 : "parameter tags"
# 0x00000a000000-0x00000e000000 : "wlan"
# 0x00000e000000-0x000016000000 : "usercfg"
# 0x000001600000-0x00001a000000 : "middleware"
# 0x000001a00000-0x00003a000000 : "kernel1"
# 0x000003a00000-0x00005a000000 : "kernel2"
# 0x000003a20000-0x00005a000000 : "rootfs"
# 0x000005a00000-0x00005c000000 : "Plugin"


# $~ cat extract.sh
dd if=mddump-full.bin of=u-boot.bin bs=2048 count=1024
dd if=mddump-full.bin of=thers.bin bs=2048 count=2048 skip=1024
dd if=mddump-full.bin of=parameter_tags.bin bs=2048 count=2048 skip 3072
dd if=mddump-full.bin of=wlan.bin bs=2048 count=2048 skip 5120
dd if=mddump-full.bin of=usercfg.bin bs=2048 count=4096 skip 7168
dd if=mddump-full.bin of=middleware.bin bs=2048 count=2048 skip 11264
dd if=mddump-full.bin of=kernel1.bin bs=2048 count=16384 skip 13312
dd if=mddump-full.bin of=kernel2.bin bs=2048 count=16384 skip 29696
dd if=mddump-full.bin of=rootfs.bin bs=2048 count=16320 skip 29768
dd if=mddump-full.bin of=plugin.bin bs=2048 count=1024 skip 46080
# $~ ./extract.sh



# $~ binwalk rootfs.bin
# $~ cd _rootfs.bin.extracted/
# $~ ls
# $~ cd jffs2-root/
# $~ ls
# $~ cat etc/shadow #displays the router password hash.

######################################################

# Below are the partitions for the Broadcom F@ST 5280

# device nand0 <brcmnand.0>, # parts = 5
#  #: name..size..offset..mask_flags
#  0: nvram               0x00020000.0x00000000.0
#  1: cfe                 0x000a0000.0x00020000.0
#  2: boot                0x008c0000.0x000c0000.0
#  3: ubi                 0x0bf40000.0x00980000.0
#  4: data                0x03740000.0x0c8c0000.0
# 
# active partition: nand0,0 - (nvram) 0x00020000 @ 0x00000000
2

Spent a little time with Chat gpt and this is what I came up with.

I am about to try it now. Fingers crossed!

import coloredlogs
import logging
import serial
from pexpect import fdpexpect

logger = logging.getLogger(__name__)
coloredlogs.install(level='DEBUG')

serial_device = '/dev/ttyUSB0'


def parsepage(pagedata):
    np_boot = b''
    np_rootfs_1 = b''
    np_rootfs_2 = b''
    np_data = b''
    np_bbt = b''

    for linenum in range(0, 128):
        line = pagedata[linenum * 51: linenum * 51 + 51]
        line = line.strip()
        line = line.replace(b' ', b'')
        data = bytes.fromhex(line.decode('ascii'))

        # Extracting the offset and size values
        offset = int.from_bytes(data[:4], byteorder='big')
        size = int.from_bytes(data[4:], byteorder='big')

        if offset == 0 and size == 0x00000300:
            np_boot += data
        elif offset == 0x000c0000 and size == 0x0001f480:
            np_rootfs_1 += data
        elif offset == 0x07de0000 and size == 0x0001f480:
            np_rootfs_2 += data
        elif offset == 0x0fb00000 and size == 0x00001000:
            np_data += data
        elif offset == 0x0ff00000 and size == 0x00000400:
            np_bbt += data

    return np_boot, np_rootfs_1, np_rootfs_2, np_data, np_bbt


logger.debug("Opening Serial " + serial_device)
ser = serial.Serial(serial_device, 115200)
if ser.name != serial_device:
    logger.critical("Unexpected: device " + ser.name + " != " + serial_device)
    ser.exit()
    # os.exit()

else:
    logger.debug("Device open: " + ser.name)

reader = fdpexpect.fdspawn(ser)

logger.info("Waiting for router boot sequence... (power cycle whenever)")

reader.expect("Hit any key to stop autoboot:")
logger.debug("Stopping Autoboot")
reader.sendline("")
logger.debug("Waiting for uboot prompt")
reader.expect("=> ")

page_size_bytes = 2048
total_size_kb = 262144

# Calculate total number of pages
total_size_bytes = total_size_kb * 1024
total_pages = total_size_bytes // page_size_bytes

# Iterate through the correct page range
for pagenum in range(total_pages):
    # Rest of your script for dumping pages goes here
    page_offset = f"{pagenum * page_size_bytes:08x}"
    logger.debug("Dumping page  " + str(pagenum) +
                 " (" + page_offset + ")")
    reader.sendline("nand dump " + page_offset)
    reader.expect("Page " + page_offset + " dump:/r/n/t")
    pagedata = reader.read(6527)

    np_boot, np_rootfs_1, np_rootfs_2, np_data, np_bbt = parsepage(pagedata)

    with open(f"np_boot_{pagenum}.bin", "wb") as fd_np_boot, \
            open(f"np_rootfs_1_{pagenum}.bin", "wb") as fd_np_rootfs_1, \
            open(f"np_rootfs_2_{pagenum}.bin", "wb") as fd_np_rootfs_2, \
            open(f"np_data_{pagenum}.bin", "wb") as fd_np_data, \
            open(f"np_bbt_{pagenum}.bin", "wb") as fd_np_bbt:

        fd_np_boot.write(np_boot)
        fd_np_rootfs_1.write(np_rootfs_1)
        fd_np_rootfs_2.write(np_rootfs_2)
        fd_np_data.write(np_data)
        fd_np_bbt.write(np_bbt)
3

I guess I am going to keep this here as a blog about my trials and tribulations.

The Bad

  • None of the scripting worked. No matter what I managed to come up with, There was always one issue or another... So I deemed it a good time to start a course in python.

Progress

  • I set up a samsung galaxy s22ultra with an international esim (Verizon 5g-wave). I placed the phone in developer mode and selected "Enable Mock Modem" Then plugged in a usb-c to Ethernet adapter and plugged into the yellow Ethernet slot on the router. I then plugged my serial cable in to watch the boot process. To my surprise, The router boots up and gives me full wifi capabilities without logging into an app or a web gui.

*Next is to learn more about ssh and telnet so I can pentest them while its operational.

*An NMAP scan of the ip address shows port 80 and port 443 both open?

That is all for now

4

Hi, what does any of what your doing have to do with openwrt?
Are you trying to port openwrt to the device? If so you do not need to extract the firmware from the device.

5

and it being a Broadcom device, wifi will never work properly (in openwrt).