04-08-2025, 05:44 PM
I wanted to mention that I know the posted data set and python code both contain minor errors.
For the data set: I will be posting a new data set with revalidated data, additional columns, and new entries.
For the python code: I realized since the info in the date blocks is the same, we can output a lot of details about a specific device, including the correct keyspace for a dictionary attack based on MAC. I will also be sharing the various scripts that I’ve discussed once I clean them up a little bit.
For now if anyone can help with the firmware it would be greatly appreciated. Here is a bit more info in that regard.
I found a nice teardown of the device here: https://fccid.io/RAXG3100/Internal-Photo...330446.pdf
Here we see the CPU chip is a BROADCOM BCM43684KRFBG. (product page)
![[Image: attachment.php?aid=1245]](https://hashcat.net/forum/attachment.php?aid=1245)
From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?
The memory is TOSHIBA TH58NVG3S0HTA10 (data sheet). It looks like there test are pads to access the memory. Figuring out the layout, and dump directly from the chip is probably a bit above my skillset currently.
![[Image: attachment.php?aid=1246]](https://hashcat.net/forum/attachment.php?aid=1246)
Part of the UART output posted earlier:
There are 2 boards inside the device. Each has an obvious UART, however I was only able to get output from 1. Unfortunately I don’t remember the pin layout, but I used a multimeter to find (+) and (-). I think RX/TX were right my first try, otherwise swap them. There is also possibly a JTAG connector, but I don’t have much experience with that.
Bad UART: Board without COAX connector.
![[Image: attachment.php?aid=1248]](https://hashcat.net/forum/attachment.php?aid=1248)
Good UART: Board with the COAX connector
![[Image: attachment.php?aid=1247]](https://hashcat.net/forum/attachment.php?aid=1247)
There are several other chips on the boards such as, ZM5101A-CME3, Broadcom B50212E, ERF32, SEC 907(?), MXL3711 which I know very little about.
For the data set: I will be posting a new data set with revalidated data, additional columns, and new entries.
For the python code: I realized since the info in the date blocks is the same, we can output a lot of details about a specific device, including the correct keyspace for a dictionary attack based on MAC. I will also be sharing the various scripts that I’ve discussed once I clean them up a little bit.
For now if anyone can help with the firmware it would be greatly appreciated. Here is a bit more info in that regard.
I found a nice teardown of the device here: https://fccid.io/RAXG3100/Internal-Photo...330446.pdf
Here we see the CPU chip is a BROADCOM BCM43684KRFBG. (product page)
From the UART output posted previously we know that it is running AArch64 Linux. Is the sha256 hash value just a check, or something that can be cracked?
Code:
## Loading kernel from FIT Image at 02000000 ...
Using 'conf_lx_VERIZON-G3100' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: 4.19 kernel
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x0228c800
Data Size: 3461392 Bytes = 3.3 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00100000
Entry Point: 0x00100000
Hash algo: sha256
Hash value: 77e40836ec218fa969f9d2bd572115ed9a7ef008cc75bfec4912354ce78a6349
Verifying Hash Integrity ... sha256+ OKThe memory is TOSHIBA TH58NVG3S0HTA10 (data sheet). It looks like there test are pads to access the memory. Figuring out the layout, and dump directly from the chip is probably a bit above my skillset currently.
Part of the UART output posted earlier:
Code:
MEMC DRAM profile (memc_dram_profile_struct) values:
dram_type = DDR3
====================================================
PART values:
part_speed_grade = 1600 CL11
part_size_Mbits = 4096 (DRAM size in MegaBits)
part_row_bits = 15 (number of row bits)
part_col_bits = 10 (number of column bits)
part_ba_bits = 3 (number of bank bits)
part_width_bits = 16 (DRAM width in bits)
NUMER OF PARTS:
part_num = 1 (Number of parts)
TOTAL values:
total_size_Mbits = 4096 (DRAM size in MegaBits)
total_cs_bits = 0 (number of cs bits, for dual_rank mode)
total_width_bits = 16 (DRAM width in bits)
total_burst_bytes = 16 (Number of bytes per DRAM access)
total_max_byte_addr = 0x1fffffff (Maximum/last DRAM byte address)
(Number of bits in total_max_byte_addr is 29)
(i.e. total_max_byte_addr goes from bit 0 to bit 28)There are 2 boards inside the device. Each has an obvious UART, however I was only able to get output from 1. Unfortunately I don’t remember the pin layout, but I used a multimeter to find (+) and (-). I think RX/TX were right my first try, otherwise swap them. There is also possibly a JTAG connector, but I don’t have much experience with that.
Bad UART: Board without COAX connector.
Good UART: Board with the COAX connector
There are several other chips on the boards such as, ZM5101A-CME3, Broadcom B50212E, ERF32, SEC 907(?), MXL3711 which I know very little about.