Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Tue Jun 01, 2010 8:53 Post subject:
OK.
I've got 2 CA-42 serial converters from e-bay in hand.
I've never had to jtag or connect serial port to any router.
Just never broke one that bad!
So... If I'm successful in connecting this serial to an original WHR-G300N,
What commands would I need to run in order to dump the original firmware? _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
Start with cutting off the phone connector but leave some 15mm of cable there so you can test with an ohm-meter which wire colour goes to which pin in the phone connector.
The wire colours are not standardized, each mfgr of CA-42 (and there are many of them) connects them differently.
Did you get 3-wire, 4-wire, or 5-wire CA-42?
For the boot loader commands, let's wait until you've got your cable connected and can see output from the boot loader on a terminal program. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Tue Jun 01, 2010 19:18 Post subject:
ok... I also had ordered in the past a Kyocera KX1 usb-serial converter.
It's got the Prolific chip in there.
I cut off the ends- it has 4 wires, red, black, white, blue.
I have the USB drivers installed for windows 7, so its installed and recognized as Com3
Red = +5 Volts
Black = Ground
White / Blue = not sure - RX/TX ?
When I hookup the serial - do I just need RX/TX and GND? _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Wed Jun 02, 2010 0:47 Post subject:
LOM wrote:
Start with cutting off the phone connector but leave some 15mm of cable there so you can test with an ohm-meter which wire colour goes to which pin in the phone connector.
The wire colours are not standardized, each mfgr of CA-42 (and there are many of them) connects them differently.
Did you get 3-wire, 4-wire, or 5-wire CA-42?
For the boot loader commands, let's wait until you've got your cable connected and can see output from the boot loader on a terminal program.
The Kyocera has 4 wires - Black/Red/White/Blue
The CA-42 I have has 3 wires - Blue, Red, Orange _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
Start with cutting off the phone connector but leave some 15mm of cable there so you can test with an ohm-meter which wire colour goes to which pin in the phone connector.
The wire colours are not standardized, each mfgr of CA-42 (and there are many of them) connects them differently.
Did you get 3-wire, 4-wire, or 5-wire CA-42?
For the boot loader commands, let's wait until you've got your cable connected and can see output from the boot loader on a terminal program.
The Kyocera has 4 wires - Black/Red/White/Blue
The CA-42 I have has 3 wires - Blue, Red, Orange
Ok, I've got a 3-wire CA-42 with the same colours, red is ground in mine.
If you connect blue and orange together while tapping on the keyboard you should see those characters appear on the screen.
The COM port assigned to USB may change when you unplug and plug back the CA-42.
Open Device Manager in Windows and look under the tab for serial ports, and you'll see which COM port has been assigned to the Prolific.
Baudrate should be 57600 for this router, 8,N,1 and no flow control/handshake of any kind. _________________ Kernel panic: Aiee, killing interrupt handler!
Btw, I have done some disassembly of the U-Boot in the WHR-G300Nv1 and it is not a funny reading, all useful commands for sending out files has been stripped off.
I will later on this week try see if I can decrypt a factory firmware, hoping that they have used the same algoritm as for the Atheros based routers.
I can already decrypt the factory firmware of WZR-HP-G300NH, WHR-HP-G300N, and the WHR-G300Nv2.
Have not tested WHR-HP-GN but assume I can do that one as well.
The header in the v1 is a bit different from the others though so I'm not sure if it is encrypted in the same way. _________________ Kernel panic: Aiee, killing interrupt handler!
Btw, I have done some disassembly of the U-Boot in the WHR-G300Nv1 and it is not a funny reading, all useful commands for sending out files has been stripped off.
I will later on this week try see if I can decrypt a factory firmware, hoping that they have used the same algoritm as for the Atheros based routers.
I can already decrypt the factory firmware of WZR-HP-G300NH, WHR-HP-G300N, and the WHR-G300Nv2.
Have not tested WHR-HP-GN but assume I can do that one as well.
The header in the v1 is a bit different from the others though so I'm not sure if it is encrypted in the same way.
Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Thu Jun 03, 2010 8:06 Post subject:
OK, yea, I found out during my testing of these things that I may have burned out a USB port, or 2!
I'll have to get a USB hub to do more testing, as I'd rather burn those out.
Luckily it was on an old test computer, so I don't care about the USB much.
As far as the WHR-G300N-Preflash, yea, that was something Brainslayer made.
I think Brainslayer knows how to decrypt it, but I'm not sure if he can legally release it.
Might be some agreement he has with Buffalo.
Now if us forum members put out an un-encrypted firmware, whole different story I think. _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
OK, yea, I found out during my testing of these things that I may have burned out a USB port, or 2!
I'll have to get a USB hub to do more testing, as I'd rather burn those out.
Luckily it was on an old test computer, so I don't care about the USB much.
As far as the WHR-G300N-Preflash, yea, that was something Brainslayer made.
I think Brainslayer knows how to decrypt it, but I'm not sure if he can legally release it.
Might be some agreement he has with Buffalo.
Now if us forum members put out an un-encrypted firmware, whole different story I think.
I can only think of one way of burning the USB ports and that is connecting USB +power to router power.
You may then get your router powered up via the USB and it will possibly overload and burn USB components in your computer.
Have you tested the ports now with a flash stick or a mouse?
I opened another 3-wire CA-42 phone connector today where the colours used was the same but connected differently:
6 FBus Rx blue
7 FBus Tx red
8 Data GND orange
This one had only 6 of the small connector pins in the phone connector and pin2 (first one of the small) was omitted so there was a bit of space between pin 3 and pin 1 (which is in the plastic tab).
They are all different from each other..
One can carefully cut piece by piece from the connector moulding and get inside to see how the wires are connected.
The preflash file was intended for gui update when you have a Buffalo firmware in the router, a firmware that contains the decryption routines.
Brainslayer could, if there is enough flash space, have those routines in the dd-wrt firmware as well so it would be possible to revert via the gui.
Maybe he ain't got space for it though. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Thu Jun 03, 2010 9:59 Post subject:
I'm pretty sure something was damaged on those USB ports, as I put the CA-42 into those
and I would get no readings off any of the wires.
I connected the CA-42 to a different computer, loaded drivers, and found GND, and the 2 other TX/RX.
So somehow those ports are damaged, but no biggie.
Anyway, I'm close to getting serial access, but at that point, not sure what to do next?
Once I can break into the bootloader - how would I read the file from flash,
and then send it to a tftp server?
I have no problem setting up the tftp server and configuring IP's, etc.
Just not sure what commands I would perform in the bootloader mode? _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
Anyway, I'm close to getting serial access, but at that point, not sure what to do next?
Once I can break into the bootloader - how would I read the file from flash,
and then send it to a tftp server?
I have no problem setting up the tftp server and configuring IP's, etc.
Just not sure what commands I would perform in the bootloader mode?
As I said in an earlier post today, all the useful commands for saving to a remote host has been stripped off this boot loader
There are only commands for retrieving a file from a remote host, ie tftp get cmds, so you will have to wait for me decrypting an OEM firmware.
It would had been so much easier if the tftp put command had been present or a cmd for sending a file via serial in xmodem or kermit format. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 10 May 2008 Posts: 1380 Location: Pacific North West, USA
Posted: Thu Jun 03, 2010 12:50 Post subject:
Aww - damn... so no point in trying to dump a firmware from a fresh router.
Well, I've got extra's of these and if you do think you can get one decrypted, let me know.
I'm willing to sacrifice one of mine to try out a test firmware.
I'm actually happy with DD-WRT on mine, so this would just be to try and help others.
The 2 fresh ones I have are spares - I actually like these WHR-G300N's. _________________ Soylent Green Is People ! =-=-=-=-=-=-=-=-=-=-=
Netgear Nighthawk R7000 - DD-WRT Build R46220
Linksys EA8500 - OpenWRT IPQ806x Trunk R16375 5.4 Kernel
Aww - damn... so no point in trying to dump a firmware from a fresh router.
Well, I've got extra's of these and if you do think you can get one decrypted, let me know.
I'm willing to sacrifice one of mine to try out a test firmware.
I'm actually happy with DD-WRT on mine, so this would just be to try and help others.
The 2 fresh ones I have are spares - I actually like these WHR-G300N's.
I've done some progress but don't have it all complete yet.
The "crypto" algorithm is the same as for Atheros based routers but the image structure is a bit different.
Atheros based routers has a Kernel/Rootfs Combined Image while this one has separate linux and filesystem parts in the image.
I have got the vmlinux.bin part out of the image so next step is to decrypt the squash filesystem part.
Then comes the tricky part of combining them into one image and get the checksums correct. _________________ Kernel panic: Aiee, killing interrupt handler!
Soylent Green Is People ! 
=-=-=-=-=-=-=-=-=-=-= 