Motorola MG7315 and MB7220 CM console access #79
Description
Hey!
I am working on getting a shell on three Motorola modems, MG7315, MB7220, and MB8611. I picked up the MG7315 from a thrift store and figured it would be a fun project. I've followed the documentation included in this repo to enable verbosity through UART and reach a prompt which should be followed by the CM> prompt, but it isn't. I replicated my steps from the MG7315 on the MB7220 (which I actually had laying around) and the end result was the same. Both seem to end as such:
<...snipped beginning of boot...>
Running the system...
Beginning Cable Modem operation...
Beginning Parental Control operation...
Beginning eRouter operation...
[00:00:29 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Scanning for a Downstream Channel...
[00:00:30 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ScanStarting: (Scan Downstream Thread) Scanning STD & HRC Annex B channel plan frequencies
Resetting EnergyDetected to false.
Forgetting energy frequency.
Executing fast scan algorithm...
Type 'help' or '?' for a list of commands...
[00:00:30 01/01/1970] [CableHomePingTool Thread] CableHomePingTool::ArpIpAddressRange: (CableHomePingTool Thread) ARP'ing of Ip Address Range (192.168.0.10) --> (192.168.0.254)
Scanned 93000000 Hz...
Scanned 225000000 Hz...
Scanned 357000000 Hz...
Scanned 489000000 Hz...
Scanned 621000000 Hz...
Scanned 753000000 Hz...
Scanned 885000000 Hz...
Scanned 99000000 Hz...
<...endless scanning loop...>
As you can see, the Type 'help' or '?' for a list of commands... does pop up, but the devices do not accept any other input aside from that, and no key stroke results in the CM> console appearing. Initially, the serial boot log simply ended on Console output has been disabled in non-vol! Goodbye... but after dumping the firmware from the SPI chip, extracting individual nvram config sections (prefixed with 0xFF), modifying them with the bcm2cfg to set bfc.serial_console_mode to rw, I managed to get past that message. The bcm2cfg only partially parsed the config sections, but luckily it did recognize the serial mode config. The userif and some of the other sections still remain as unparsable right now:
$ bcm2cfg list W25Q128FB-factory.bin.bin bfc
failed to parse group userif
failed to parse group firewall
bfc.serial_console_mode
bfc.features
Also, enabling the console via Telnet was not possible. The OIDs from other issues I found on this repo did not exist.
I'm attaching the full UART boot log along with the SPI chip flash dump which I have been working out of. Any help or pointers would be greatly appreciated. I would love to contribute back to the project with profiles for these three devices once I get past this issue.