Make it better and make a guide about arris-vip1113 HOT 16 OPEN

Interesting... let me know if this works for you:
rl.txt.gpg.zip

from arris-vip1113.

@c4ceecee 3.3v, you can solder wires like I did on the photos

@dgudim "Kernel protocol = 313" means it will try to boot from method "3", then try "1", then again "3". Ex, "12345" or "23456"

from arris-vip1113.

You can ask here in comments.
If the topic is sensitive, encrypt your message using my PGP key:

#2 (comment)

from arris-vip1113.

Hi @antnks! Thanks for the great work so far. Regarding the readme document: how does one get to the service menu where the tftp addresses can be set? Does the bootloader expect the images downloaded from the specified servers to be signed?

from arris-vip1113.

@c4ceecee I have added info about hidden menu: https://github.com/antnks/arris-vip1113/blob/main/README.md#hidden-menu

Yes, the firmware image must be signed. If the signature is wrong you will see an error on the serial console

from arris-vip1113.

Oh thanks! I have a VIP2853 and I was hoping that I could've used the code made available on Sourceforge to boot into a customized OS.

Mine connects on boot to a unsecured http service, and I was thinking that intercepting that would be enough.
arrisvip2853boot.telenor.se/telenor-vip2853?product=telenor-vip2853&serial=M111111TW3333&mac=01:01:01:01:01:01&fw_version=5.1.5&kernel_version=none&splash_version=Ownit

But the payload it responds with doesn't seem to trigger an update:

> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/xml; charset=utf-8
< Content-Length: 438
< Date: Wed, 14 Feb 2024 14:31:20 GMT
< Connection: keep-alive
<
<?xml version="1.0"?>
<StbConfig>
  <BootParams>
    <KernelUrl>http://arrisvip2853boot.telenor.se:80/data/{some alphabetic string}</KernelUrl>
    <KernelVersion>4.10.1.telenor.5_231003</KernelVersion>
    <SplashUrl>infocast://234.213.112.94:22221/splash-data_2800</SplashUrl>
    <SplashVersion>Ownit_211020</SplashVersion>
  </BootParams>
  <PermanentParams>
    <Bootcast>234.213.112.72:11111</Bootcast>
  </PermanentParams>

Seems like my Telenor variant does not respond to those codes you listed, probably customized by the vendor.

So I guess that serial console doesn't present any sort of login prompt?

from arris-vip1113.

As soon as you enter the hidden menu you can force to boot from whatever you want, like, http, tftp, usb, multicast, nfs and something else. But you need to have a firmware to feed

Are you able to download the image from http://arrisvip2853boot.telenor.se:80/data/{some alphabetic string}?

from arris-vip1113.

So I guess that serial console doesn't present any sort of login prompt?

It depends on the build. Some providers may deliver a firmware with serial enabled. You can try

from arris-vip1113.

As soon as you enter the hidden menu you can force to boot from whatever you want, like, http, tftp, usb, multicast, nfs and something else. But you need to have a firmware to feed

I could not for the life of me get either menu to show up. If I press the info button during I can see the IP address received and the serial/model number of the device. But those numbers have no effect during boot or once the OS is fully loaded. I guess maybe Telenor's firmware has different codes?

Are you able to download the image from http://arrisvip2853boot.telenor.se:80/data/{some alphabetic string}?

Yes, the link definitely works. I get a 32MB binary file. The firmware version of the update seems to be the only clear text within that file when I use a hex editor.

from arris-vip1113.

The firmware is encrypted with model-specific key. I haven't yet found a way to get the key
An example of a cold dump reverse engineer: https://www.duff.dk/zaptor/

Could you upload the firmware here for future researches?

from arris-vip1113.

@antnks I'm curious, how were you able to determine the voltage/logic level of the board for UART? is it 3.3v or 5v? are those UART pins labelled as J12? Are E126/E127 used as the TX/RX pins? I'm looking at if I could get a hold of the console. Thanks!

from arris-vip1113.

I have a vip4302. I was able to enable the debug menu, but whatever I do, I can't get it to even try to connect to my local address. (Only netconsole)

End of the log is interesting

Unable to find a valid boot image. Trying the Golden Image...
No valid golden image stored in flash.

Here is my menu:
menu.zip

from arris-vip1113.

Mine is also marked as a "developmemt unit" on the back, it might be with an unlocked bootloader or something, maybe shell on uart. Will report when I buy the uart adapter

from arris-vip1113.

@c4ceecee 3.3v, you can solder wires like I did on the photos

@dgudim "Kernel protocol = 313" means it will try to boot from method "3", then try "1", then again "3". Ex, "12345" or "23456"

@antnks I am only getting some garbage when using '115200 8 n 1' as the serial configuration with a CH340G adapter when I connect my vip2853. Those serial options are used on some other Arris devices, but maybe that console is switched off in my firmware?

from arris-vip1113.

@c4ceecee if you get garbage, try all possible standard baud rates, maybe vip2853 uses some other

from arris-vip1113.

I finally got time to poke my vip4302. Looks like even though it is a dev unit, there is no serial console.

Here is the boot log for lols

IP-Config: Guessing netmask 255.255.0.0
DBL init started
DBL version STABLE_BOOT_LOADER_6.7.3@572716 (dailybuild@garnheath) (arm-kreatv-linux-gnueabihf-gcc (Broadcom stbgcc-4.8-1.1) 4.8.5)# Wed Jun  8 15:27:05 CEST 2016
Verifying system integrity...                                                                                       
System integrity is intact                                                                                          
Running on ARRIS VIP4302 with KreaTV Boot Loader version 6.7.3                                                      
Using Vendor Class Id ARRIS_VIP4302WBT_DEV                                                                          
Using Bootcast Id arris-vip4302wbt-dev                                                                              
wl: module license 'Proprietary' taints kernel.                                                                     
Disabling lock debugging due to kernel taint                                                                        
PCI: enabling device 0000:00:00.0 (0140 -> 0143)                                                                    
PCI: enabling device 0000:01:00.0 (0140 -> 0142)                                                                    
Initializing video                                                                                                  
Entering video active mode                                                                                          
Copying 1244491 bytes...                                                                                            
Using splash image in flash                                                                                         
Bringing up interface eth0                                                                                          
Reading link status...                                                                                              
Uncompressed 24 bits image                                                                                          
-> Link is down                                                                                                     
Using WiFi interface                                                                                                
Bringing down interface eth0                                                                                        
Bringing up interface eth1
RTMPSetPhyMode: Update for STA
Found a Mediatek WEXT WiFi device
RTMPSetPhyMode: Update for STA
WiFi Driver version-3.0.1.108, Jun  8 2016 15:24:10
Failed to find power table for regulatory domain SE, trying default
RTMPSetPhyMode: Update for STA
Bringing up the WiFi wizard
Found a Mediatek WEXT WiFi device
RTMPSetPhyMode: Update for STA
WiFi Driver version-3.0.1.108, Jun  8 2016 15:24:10
RTMPSetPhyMode: Update for STA
Failed to find power table for regulatory domain SE, trying default
RLE-8 compressed image

looks like I am out of luck here

from arris-vip1113.