User Tools

Site Tools


inbox:toh:virgin.media.superhub.2

Useful page: http://electronics360.globalspec.com/article/3410/netgear-super-hub-2-vmdg485-wireless-router-teardown

Even more useful, albeit patched - details and an exploit via config restore: https://www.contextis.com/blog/hacking-virgin-media-super-hub

https://wikidevi.com/wiki/Virgin_media_superhub_2 -photos

MODEL name: VMDG485 Not supported? If you buy it from second hand it cannot be activated by VM its still their property.

Major chip: W248TH72 SLHCZ DNCE2530GU

Memory: SKhynix H5PS1G63JFR Y5C 307V NWKN2366H3

Wifi1: ATHEROS AR8327-BL1A E4U375.3B 1305 TAIWAN

Wifi2:

ATHEROS AR9580-AR1A PNF488.003C 1301 KOREA

Cable modem chip: MxL MXL261

SR3H6 . 16 1307 CC

Flash:

SPANSION 70 FL256POXMF 100 245QQ044 A Copyright 10 SPANSION

Produced; In China for Netgear

PCB name: ACM6234 REV : 3.11

Some chip: ATHEROS AR 9344-BC2A PKS787 . 002B 1306 TAIWAN

Another memory:

SKhynix H5PS5162GFR Y5C 309V NWKH1886HY3

Small chip on pcb: MAXIM 3520E TP242 +NSBH

2042B 2AM ACN8

Tbc

uboot boot wait is disabled by default serial console login/password - root/5up

(connected to puma5 serial)
U-Boot 1.2.0 (May  6 2013 - 15:14:41)
PSPU-Boot 1.0.20.1356

DRAM:  128 MB
Spansion S25FL129P flash found
Spansion S25FL129P flash found
Flash: 32 MB
In:    serial
Out:   serial
Err:   serial
*** ACTIMAGE = 2, will try to boot UBFI2 stored @0x4c000000
## Executing script at 4c000000
============== Running script =========
*** Running from UBFI2 partition @0x4c000000
Load address = 0x4c00253c (0x253c)
Kernel address = 0x4c002588 (0x2588)
kernel size = 0x106678
FS address = 0x4c108c00 (0x108c00)
FS size = 0x69f400
NVRAM offset = 0xfb0000
NVRAM size = 0x50000
*** UBFI2 bootscript executed successfully.
Start booting...
## Booting image at 4c00253c ...
   Image Name:   Multi Image File
   Image Type:   ARM Linux Multi-File Image (uncompressed)
   Data Size:    8018564 Bytes =  7.6 MB
   Load Address: 80a00000
   Entry Point:  80a00000
   Contents:
   Image 0:  1074808 Bytes =  1 MB
   Image 1:  6943744 Bytes =  6.6 MB
   Verifying Checksum ... OK
OK

Starting kernel ...

Starting LZMA Uncompression Algorithm.
Compressed file is LZMA format.

-----------------
(connected to ar9344 serial)
WASP BootROM Ver. 1.1
GMAC start
ROM>:mdio download ready
find_hif: bootstrap = 0xbe075b
WASP BootROM Ver. 1.1
GMAC start
ROM>:mdio download ready
Firmware Download length 12
Firmware Exec Address bd004000
Firmware checksum 0xfad27631
started receiving bytes 11188
completed receiving bytes
Firmware Download is good
COMMAND TO START FIRMWARE RECEIVED
initialize PLL & DDR U10

sri
Wasp 1.2
Wasp (16bit) ddr1 init
setting for 40
fw1: GMAC Init
Receiving gmac params
ag7240_gmac_initialize...
Setting for f1e vir phy
sending discovery ...
*sending discovery ...
*sending discovery ...
*sending discovery ...
*inside __gmac_process_discv
__gmac_process_discv: received bytes
***********************************************************************[...]

somehow it goes out from hidden stars:

*sending discovery ...
*sending discovery ...
*sending discovery ...
*inside __gmac_process_discv
__gmac_process_discv: received bytes
*****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************Calling 2nd stage
Lzma decompressing(addr: 81202c00 len: 1897208)...
Jump to kernel(addr: 801a1680)...
Booting Atheros AR934x
Linux version 2.6.31--LSDK-9.2.0_U6.621 (pegauser@localhost.localdomain) (gcc version 4.3.3 (GCC) ) #1 Sun Mar 31 12:37:38 CST 2013
flash_size passed from bootloader = 37
CPU revision is: 0001974c (MIPS 74Kc)
ath_sys_frequency: cpu srif ddr srif cpu 560 ddr 450 ahb 225
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Initial ramdisk at: 0x810d0000 (1066533 bytes)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: console=ttyS0,115200 root=01:00 rd_start=0x810d0000 rd_size=1066533 init=/sbin/init mem=64m mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),6336k(rootfs),1408k(uImage),64k(mib0),64k(ART)
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 46632k/65536k available (1678k kernel code, 18828k reserved, 435k data, 152k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 279.55 BogoMIPS (lpj=559104)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 80249580 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
PCI init:ath_pcibios_init
ath_pcibios_init(294): PCI CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
pci 0000:00:00.0: PME# supported from D0 D1 D3hot
pci 0000:00:00.0: PME# disabled
Returning IRQ 64
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
Trying to unpack rootfs image as initramfs...
rootfs image is not initramfs (no cpio magic); looks like an initrd
Freeing initrd memory: 1041k freed
ATH GPIOC major 0
JFFS2 version 2.2 (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 93
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
DEBUG-CMDLINE-PART: parsing <1024k(ART)>
DEBUG-CMDLINE-PART: partition 0: name <ART>, offset ffffffff, size 100000, mask flags 0
DEBUG-CMDLINE-PART: mtdid=<mtdparts=ath-nor0> num_parts=<1>
parse_cmdline_partitions: part mtdparts=ath-nor0
parse_cmdline_partitions: part num 1
1 cmdlinepart partitions found on MTD device ath-nor0
Creating 1 MTD partitions on "ath-nor0":
0x000000000000-0x000000100000 : "ART"
TCP cubic registered
NET: Registered protocol family 17
arch/mips/atheros/gpio.c (ath_simple_config_init) ATH_GPIO_OE   : 22f31b
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_LED_GPIO        : 13
arch/mips/atheros/gpio.c (ath_simple_config_init) WIFI24G_LED_GPIO       : 12
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO_WIFI : 16
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO      : 20
arch/mips/atheros/gpio.c (ath_simple_config_init) ATH_GPIO_OE         : 33131b
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
ath_clksw_init: Registering Clock Switch Interface success
RAMDISK: lzma image found at block 0
VFS: Mounted root (ext2 filesystem) readonly on device 1:0.
Freeing unused kernel memory: 152k freed
init started:  BusyBox v1.01 (2013.03.31-04:37+0000) multi-call binary
init started:  BusyBox v1.01 (2013.03.31-04:37+0000) multi-call binary
Starting pid 16, console /dev/ttyS0: '/etc/rc.d/rcS'
ATHR_GMAC: Length per segment 1536
ATHR_GMAC: fifo cfg 3 01f00140
ATHR_GMAC: RX TASKLET - Pkts per Intr:100
ATHR_GMAC: Mac address for unit 0:bfff0000
ATHR_GMAC: 00:00:00:00:00:00
Registering Virtual F1E Phy....
ATHR_GMAC: Max segments per packet :   1
ATHR_GMAC: Max tx descriptor count :   128
ATHR_GMAC: Max rx descriptor count :   192
ATHR_GMAC: Mac capability flags    :   2380
athr_gmac_ring_alloc Allocated 2048 at 0x8384b000
athr_gmac_ring_alloc Allocated 3072 at 0x831ee000
WASP ----> VIR F1E PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames
FIFO_CFG_5 setting for s17 phy
Setting PHY...
SIOCGIFFLAGS: No such deviceJumbo Frame enabled in Mac:0

Jumbo Frame sz val:800
athr_gmac_ring_free Freeing at 0x8384b000
athr_gmac_ring_free Freeing at 0x831ee000
athr_gmac_ring_alloc Allocated 2048 at 0x8384b000
athr_gmac_ring_alloc Allocated 3072 at 0x831ee000
WASP ----> VIR F1E PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames
FIFO_CFG_5 setting for s17 phy
Setting PHY...
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
mac address  dest -->  0: 3:7f:ff:ff:ff
 mac address  src--> ff:ff:ff:ff:ff:ff
  __gmac_dev_event *************************************
 event 5 name lo
 __gmac_dev_event *************************************
 event 5 name eth0
 __gmac_dev_event *************************************
 event 1 name eth0
Timer started
Atheros Fulloffload Target Loaded
Args: 1
/etc/rc.d/rc.wlan: 152: lsmod: not found
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
insmod: cannot open module `/lib/modules/2.6.31/net/ath_spectral.ko': No such file or directory
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_ahb: 9.2.0_U6.621 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Wasp Enterprise mode: 0x03fc0000
Restoring Cal data from Flash
ar9300EepromRestore: overwrite wasp antCtrlChain2g from (10, 10, 10) to (150, 150, 150)
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[4967] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[4942] tx chainmask mismatch actual 3 sc_chainmak 0
 __gmac_dev_event *************************************
 event 5 name wifi0
SC Callback Registration for wifi0
wifi0: Atheros 9340: mem=0xb8100000, irq=2
ath_pci: 9.2.0_U6.621 (Atheros/multi-bss)
__ath_attach: Set global_scn[1]
ACBKMinfree = 48
ACBEMinfree = 32
ACVIMinfree = 16
ACVOMinfree = 0
CABMinfree = 48
UAPSDMinfree = 0
Restoring Cal data from Flash
dfs_attach: use DFS enhancements
DFS min filter rssiThresh = 18
DFS max pulse dur = 151 ticks
ath_get_caps[4967] rx chainmask mismatch actual 7 sc_chainmak 0
ath_get_caps[4942] tx chainmask mismatch actual 7 sc_chainmak 0
 __gmac_dev_event *************************************
 event 5 name wifi1
SC Callback Registration for wifi1
wifi1: Atheros 9580: mem=0x10000000, irq=64 hw_base=0xb0000000
athstats
80211stats
wlanconfig
pktlogconf
pktlogdump
radartool
Starting pid 75ATH_MAC_TIMER: enet unit:0 is up...
RGMii 1000Mbps full duplex
ATH_MAC_TIMER: done cfg2 0x7235 ifctl 0x0 miictrl
 __gmac_dev_event *************************************
 event 4 name eth0
exisiting node  eth0
module init Netlink interface number created: 20
lo register notification
register new vap lo
eth0 register notification
register new vap eth0
Ignoring eth0 notification 1
All the wifi detected 1:1  Send HTC Ready
Wifi Detected Send HTC ready
Sending HTC ready
wifi0 register notification
wifi1 register notification
Target Iniitialized

 (none) mips #1 Sun Mar 31 12:37:38 CST 2013 (none)
(none) login:

inbox/toh/virgin.media.superhub.2.txt · Last modified: 2017/11/22 02:26 by GreenReaper