OpenWrt Forum Archive

Topic: Crippled u-boot and dumping nand flash

The content of this topic has been archived on 23 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi there

My apologies for this long post.

I've got a SagemCom Fast3963 HGW3 based router modem supplied by my ISP where I've managed to get a serial console.
What surprises me is that it seems it uses a heavily modified OpenWRT build.

Hardware:
Ikanos Fusiv VX185 MIPS32 Core @ 400mhz
128MiB Ram
128MiB Nand flash
Atheros AR8327 Giabit Switch
Atheros 9380 WiFi
Combo VDSL2/ADSL2+ Modem Si3217
Serial console active 115200,8,1,0
EJTAG 2.6 available - need to test if active.

Currently I've only have access in the webgui part, which is very limited due to the restrictive manner of my ISP.
I've tried same login credentials in the serial console - no dice.

This is where I've hit the wall.

During the inital boot process I can break and jump to the crippled u-boot command line.

This is the commands available:

Primary boot with ubi support
Version: 3.20.0   (May 15 2012 - 11:41:35)
Copyright (C) 2011 - 2012 Sagemcom All rights reserved
gpio in: fe3fd9e4
board type: hgw3 128 (00010021)
board frequency: 00000190
nand ctrl (b909804c) 04050505  19050505  
ddr  ctrl (b9100000) c49b4618  22161323  c6001632  00000018  0000000a  
ddr  ctrl (b9108118) 01004332  00000201

Secondary boot
Version: 3.20.0   (May 15 2012 - 11:41:31)

Copyright (C) 2011 - 2012 Sagemcom All rights reserved
board type: 00010021
boot partition size: 08000000
NAND ECC error at address 0x0015b800 (eb 0xa   page 0x37   section 1)
  errlocations[0] = 0x90f
executing raw u-boot

U-Boot 2010.09
Version: 3.20.0-small (May 15 2012 - 11:40:46) 
Copyright (C) 2011 - 2012 Sagemcom All rights reserved
board type: 00010021
boot partition size: 08000000
CPU: IKANOS Fusiv 183 Family, Major Revision: 2
DRAM:  128 MiB
NAND:  128 MiB
Creating 1 MTD partitions on "nand0":
0x0000000c0000-0x000008000000 : "mtd=2"
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: fixable bit-flip detected at PEB 47:0
UBI: fixable bit-flip detected at PEB 53:0
UBI: fixable bit-flip detected at PEB 105:0
UBI: fixable bit-flip detected at PEB 118:0
UBI: fixable bit-flip detected at PEB 202:0
UBI: fixable bit-flip detected at PEB 292:0
UBI: fixable bit-flip detected at PEB 476:0
UBI: fixable bit-flip detected at PEB 486:0
UBI: fixable bit-flip detected at PEB 912:0
UBI: fixable bit-flip detected at PEB 981:0
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "mtd=2"
UBI: MTD device size:            127 MiB
UBI: number of good PEBs:        1018
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    256
UBI: number of internal volumes: 1
UBI: number of user volumes:     7
UBI: available PEBs:             0
UBI: total number of reserved PEBs: 1018
UBI: number of PEBs reserved for bad PEB handling: 10
UBI: max/mean erase counter: 67/2
bootenv volume not found
using default environment
Found Atheros Switch AR8327
Net:   emac1
Hit any key to stop autoboot:  3  0 
hgw3 > help
?       - alias for 'help'
SSD1305 - Enables the SSD1305 Oled screen
SSD1305_OFF- Turn the screen off
base    - print or set address offset
boot    - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
chpart  - change active partition
cie     - displays the CIE parameter
cie_set - sets the CIE parameter
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dfa     - displays the DFA parameter
dfa_set - sets the DFA parameter
dhcp    - boot image via network using DHCP/TFTP protocol
editenv - edit environment variable
flag    - displays the factory flags
flag_set- sets one factory flag
go      - start application at address 'addr'
help    - print command description/usage
hx8347  - Enables the HX8347 screen
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
sb      - secure boot
secure_set- sets the bootloader in secure mode
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
ubi     - ubi commands
version - print monitor version
waitForMagic- Test WAIT_FOR_MAGIC function

Output of printenv:

bootargs=### no default boot args ###
bootcmd=sb
bootdelay=3
baudrate=115200
ethaddr=00:01:02:03:04:05
ipaddr=192.168.1.1
serverip=192.168.1.10
mtdparts=mtdparts=nand:128k(fboot),640k(reserved),-(partAll)
part_boot=partAll
part_main=partAll
netretry=once
_platform=generic
_tftp_ipl=tftp ${_platform}.fboot.fbin
_tftp_oldipl=tftp ${_platform}.oldfboot.fbin
_tftp_spl=tftp ${_platform}.sboot.sbin
_tftp_uboot=tftp ${_platform}.u-boot.bin
_tftp_olduboot=tftp ${_platform}.oldu-boot.bin
_tftp_pp=tftp ${_platform}.ppBIN
_tftp_oper=tftp ${_platform}.scos.oper.secure
_tftp_gsdf_oper=tftp ${_platform}.scos.oper.gsdf
_tftp_resc=tftp ${_platform}.scos.resc.secure
_tftp_gsdf_resc=tftp ${_platform}.scos.resc.gsdf
_select_boot=ubi part ${part_boot}
_select_main=ubi part ${part_main}
_ubi_eraze=nand erase 0xC0000 0xff40000; run _select_main
_ubi_mkvol1=ubi create factory 0x1f000 static; ubi create operational 0x1f00000 static
_ubi_mkvol2=ubi create permanent_param 0x1f000 static; ubi create rescue 0x1f00000 static
_write_ipl=nand erase 0x00000 0x20000; nand write 0x80400000 0x00000 0x9000
_write_oldipl=nand erase 0x00000 0x20000; nand write 0x80400000 0x00000 0x20000
_write_spl=ubi remove secondaryboot; ubi create secondaryboot ${filesize} static; ubi write 0x80400000 secondaryboot ${filesize} 
_write_uboot=ubi remove uboot; ubi remove bootenv; ubi create uboot ${filesize} static; ubi write 0x80400000 uboot ${filesize} 
_write_olduboot=nand erase 0x40000 0x80000; nand write 0x80400000 0x40000 0x60000
_write_pp=ubi remove permanent_param; ubi create permanent_param 0x1f000 static; ubi write 0x80400000 permanent_param ${filesize}
_write_oper=ubi remove operational; ubi create operational 0x1f00000 static; ubi write 0x80400000 operational ${filesize}
_write_resc=ubi remove rescue; ubi create rescue 0x1f00000 static; ubi write 0x80400000 rescue ${filesize}
ubi_init=run _ubi_eraze; run _ubi_mkvol1; run _ubi_mkvol2
reset_env=run _select_boot; ubi remove bootenv; ubi create bootenv 0x1f000
load_ipl=run _tftp_ipl _write_ipl 
load_oldipl=run _tftp_oldipl _write_oldipl 
load_spl=run _select_boot _tftp_spl _write_spl 
load_uboot=run _select_boot _tftp_uboot _write_uboot 
load_olduboot=run _tftp_olduboot _write_olduboot 
load_allboot=run _select_boot _tftp_uboot _tftp_spl _tftp_ipl _tftp_uboot _write_uboot _tftp_spl _write_spl _tftp_ipl _write_ipl
load_oldboot=run _select_boot _tftp_olduboot  _tftp_oldipl _tftp_olduboot _write_olduboot _tftp_oldipl _write_oldipl
load_pp=run _select_main _tftp_pp _write_pp 
load_oper=run _select_main _tftp_oper _write_oper 
load_gsdf_oper=run _select_main _tftp_gsdf_oper _write_oper 
load_resc=run _select_main _tftp_resc _write_resc 
load_gsdf_resc=run _select_main _tftp_gsdf_resc _write_resc 
mt
stdin=serial
stdout=serial
stderr=serial
ethact=emac1

Environment size: 2803/131068 bytes

Are there some bright head here who has an idea to how the complete nand flash could be dumped ?

Currently the only viable option I see is crafting a small kernel, booting it over tftp and access the flash directly as tftp is active
but i might be wrong.
Or even better, a way to bruteforce or bypass the shell login when fully booted so i can dump the partitions with dd over the network

Any advice is greatly appreciated.
Thanks in advance.

Best regards
bitsmurf smile

(Last edited by bitsmurf on 9 Mar 2014, 16:54)

what about dumping over serial? certainly takes forever and a half, but might be quicker than compiling anything and all the hassle. 128 MB binary should take about 4 hours, so the same in hex will probably take 8 hours. then just use a hex2bin program and you should be done.

MBS wrote:

what about dumping over serial? certainly takes forever and a half, but might be quicker than compiling anything and all the hassle. 128 MB binary should take about 4 hours, so the same in hex will probably take 8 hours. then just use a hex2bin program and you should be done.

The problem is how, because when i try nand read i can only read a single page of the flash and what i recall it only returns around 2KiB data at a time.
Maybe it's me who misunderstood the u-boot documentation smile

@bitsmurf: Were you able to test and confirm if the EJTAG header was active or otherwise access the contents of the flash?

The discussion might have continued from here.