About adding a static route to my DOCSIS modem

You may think this is an easy task but let’s find out. One would expect such functionality in a web interface …

… but no, it’s not there. So what’s next? Let’s hack it!


First I checked how the webUI works, how does it send requests for config change, tried to abuse ping to do remote exec but without luck. Later, I’ve found out that there were some vulnerabilities found but they all seemed to be fixed in my FW revision.

But there’s even better source of info about this modem: security evaluation report. It still refers to the outdated firmware but describes some hardware attack vectors.


HW hacking can be dangerous so I bought another modem of the same type from eBay and performed following on that one. This is how the device looks from inside (imagine it without those hacked wires):

There are two pin headers which provide 115200 baud serial access but they only show a few lines of output (see pictures), they don’t accept any input and on the latest board revision they are not even there.

For storage the device uses a NAND flash with an eMMC controller (PS8211-0) – you can see a full description of a similar board together with boot logs at mobile-computer-repairs.co.uk (MCR now on). As my board showed limited boot logs and no way to influence the boot process, I tried (as some forums suggested) to short NAND pins to break the booting. But the only thing I achieved was to brick my test subject so I do not recommend this approach.

Identifying the eMMC pinout

MCR page shows a pinout of the eMMC, so I took an oscilloscope and started to measure signals on pins. This actually yielded conflicting results so I chose a different approach. This is a known technique and you can read about it here. I scraped the solder mask from all the traces between the main CPU and eMMC to get access to the signals:

attached some wires:

and started to measure signals with my oscilloscope. This immediately revealed CMD and CLK pins and a few DATx pins. For the purpose of reading, I ordered Transcend TS-RDF5 SD card reader which is able to handle 1-bit SD mode. I just guessed the DAT0 pin to be the first one following CMD and it was a lucky guess :). At the end, the pinout looked like this:

Then I traced the lines towards the controller and the resulting controller pinout looks like this:

31 – CMD
22 – CLK
25 – DAT0
26 – DAT1
24 – DAT2
33 – VCC

After connecting it to the card reader, my PC recognized following:

[352807.254686] usb 2-2: new high-speed USB device number 49 using xhci_hcd
[352807.406062] usb 2-2: New USB device found, idVendor=8564, idProduct=4000
[352807.406065] usb 2-2: New USB device strings: Mfr=3, Product=4, SerialNumber=5
[352807.406067] usb 2-2: Product: Transcend
[352807.406069] usb 2-2: Manufacturer: TS-RDF5
[352807.406071] usb 2-2: SerialNumber: 000000000037
[352807.407058] usb-storage 2-2:1.0: USB Mass Storage device detected
[352807.410863] scsi host3: usb-storage 2-2:1.0
[352808.441748] scsi 3:0:0:0: Direct-Access TS-RDF5 SD Transcend TS3A PQ: 0 ANSI: 6
[352808.442438] sd 3:0:0:0: Attached scsi generic sg2 type 0
[352808.724617] sd 3:0:0:0: [sdc] 230144 512-byte logical blocks: (118 MB/112 MiB)
[352808.725399] sd 3:0:0:0: [sdc] Write Protect is off
[352808.725402] sd 3:0:0:0: [sdc] Mode Sense: 23 00 00 00
[352808.726262] sd 3:0:0:0: [sdc] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[352808.746880] sdc: sdc1 sdc2 sdc3 sdc4 < sdc5 sdc6 sdc7 sdc8 sdc9 sdc10 sdc11 sdc12 sdc13 sdc14 sdc15 >
[352808.750675] sd 3:0:0:0: [sdc] Attached SCSI removable disk

After that I immediately dumped it to a file and started to analyze it.

dd if=/dev/sdc of=upc-sub3.bin bs=1M

For the connection I used a microSD breakout board which I designed:

And in later test subjects I also improved the connection setup:


I recommend to use a hot glue for attaching the pin header in order to prevent the thin wires from mechanical stress.


As the eMMC is the only nonvolatile storage in the device, I was able to dump my “production” modem (on the picture with colorful wires) with minimal traces of tampering and to copy the whole eMMC dump to my test subject and surprisingly it worked. Later on I’ve added a convenient eMMC breakout cable and started to use to the cloned one for my internet access. If anything goes wrong, I can always flash the working version back without problems.

Flash contents

The eMMC storage is 128MB big and contains partitions. These are actually very useful because they separate multiple kernels and filesystems so we don’t need to explore the whole flash with binwalk.

I created extract.sh which extracts these partitions to separate files so I could easily analyze them and mount them via loop. First, I checked them with filecommand.

  • upc-sub3.bin1: Linux kernel x86 boot executable bzImage, version 3.12.17 (jason@alphago) #1 SMP PREEMPT Tue Mar 20 18:56:18 CST 2018, RO-rootFS, swap_dev 0x3, Normal VGA
  • upc-sub3.bin2: Linux kernel x86 boot executable bzImage, version 2.6.39 (root@ftd-sw) #2 SMP PREEMPT Wed Apr 5 11:58:12 CST 2017, RO-rootFS, root_dev 0x801, swap_dev 0x3, Normal VGA
  • upc-sub3.bin3: Squashfs filesystem, little endian, version 4.0, 13826280 bytes, 2277 inodes, blocksize: 65536 bytes, created: Tue Mar 20 11:14:38 2018
  • upc-sub3.bin4: DOS/MBR boot sector; partition 1 : ID=0x83, start-CHS (0x36c,0,1), end-CHS (0x3ff,3,16), startsector 256, 34816 sectors; partition 2 : ID=0x5, start-CHS (0x3ff,3,16), end-CHS (0x3ff,3,16), startsector 35312, 4112 sectors, extended partition table
  • upc-sub3.bin5: Squashfs filesystem, little endian, version 4.0, 14369432 bytes, 1377 inodes, blocksize: 65536 bytes, created: Wed Apr 5 04:39:44 2017
  • upc-sub3.bin6: Linux rev 1.0 ext3 filesystem data, UUID=10ac6b3f-779b-4b07-af20-6141776df879 (needs journal recovery)
  • upc-sub3.bin7: data
  • upc-sub3.bin8: u-boot legacy uImage, Boot Script File, Linux/PowerPC, Script File (Not compressed), 8912 bytes, Tue Mar 20 11:26:12 2018, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0xFF8DF93B, Data CRC: 0xC4A18791
  • upc-sub3.bin9: u-boot legacy uImage, Boot Script File, Linux/PowerPC, Script File (Not compressed), 8912 bytes, Wed Apr 5 05:33:39 2017, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0xADC57663, Data CRC: 0xC4A18791
  • upc-sub3.bin10: Linux rev 1.0 ext3 filesystem data, UUID=3df5f8ad-bede-492f-9825-22605d50313c (needs journal recovery)
  • upc-sub3.bin11: Linux rev 1.0 ext3 filesystem data, UUID=3df5f8ad-bede-492f-9825-22605d50313c (needs journal recovery)
  • upc-sub3.bin12: Squashfs filesystem, little endian, version 4.0, 7994036 bytes, 731 inodes, blocksize: 131072 bytes, created: Tue Mar 20 11:26:09 2018
  • upc-sub3.bin13: Squashfs filesystem, little endian, version 4.0, 8068210 bytes, 706 inodes, blocksize: 131072 bytes, created: Wed Apr 5 05:33:36 2017
  • upc-sub3.bin14: Squashfs filesystem, little endian, version 4.0, 6108687 bytes, 666 inodes, blocksize: 131072 bytes, created: Tue Mar 20 11:26:11 2018
  • upc-sub3.bin15: Squashfs filesystem, little endian, version 4.0, 5493347 bytes, 602 inodes, blocksize: 131072 bytes, created: Wed Apr 5 05:33:39 2017

The mentioned security report says, that the main SoC consists of two separate CPU cores/systems: x86 and ARMv6. Also the content of partitions suggested this. I was mounting and exploring all mountable partitions to get more info about the system.

BPI/SEC Certificates

The certificates which are used for BPI/SEC are stored in partition 10:

# ls -la /nvram/1/security/
lrwxrwxrwx 1 29 cm_cert.cer -> download/cbn_cm_euro_cert.cer
lrwxrwxrwx 1 32 cm_key_prv.bin -> download/cbn_cm_euro_privkey.bin
lrwxrwxrwx 1 41 mfg_key_pub.bin -> /etc/docsis/security/euro_mfg_key_pub.bin
drwxr-xr-x 2 1024 download
lrwxrwxrwx 1 38 mfg_cert.cer -> /etc/docsis/security/euro_mfg_cert.cer
drwxr-xr-x 5 1024 ..
lrwxrwxrwx 1 42 root_pub_key.bin -> /etc/docsis/security/euro_root_pub_key.bin
drwxr-xr-x 3 1024 .
$ openssl x509 -in cbn_cm_euro_cert.cer -inform der --noout -text
         Version: 3 (0x2)
         Serial Number: 343337499263393 (0x138437dae81a1)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C = TW, O = Compal Broadband Networks, OU = Euro-DOCSIS, CN = Compal Broadband Networks Cable Modem Root Certificate Authority
             Not Before: Mar 26 19:31:05 2018 GMT
             Not After : Mar 26 19:31:05 2038 GMT
         Subject: C = TW, O = Compal Broadband Networks, OU = Euro-DOCSIS, CN = 38:43:7D:AE:81:A1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 RSA Public-Key: (1024 bit)
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha1WithRSAEncryption

As you can see below, the key file is no known format because it is encrypted so you cannot use it in any other device.

$ openssl rsa -in cbn_cm_euro_privkey.bin -inform der --noout -text
unable to load Private Key
140486965376832:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:

One of my friends was so kind to provide a decrypting program so after running it, you will get a decrypted key:

$ ./compal-decrypt cbn_cm_euro_privkey.bin cbn_cm_euro_privkey.bin.decrypt
[+] success!
$ openssl rsa -in cbn_cm_euro_privkey.bin.decrypt -inform der --noout -text

RSA Private-Key: (1024 bit, 2 primes)


After porting these certificates to another modem (with cloned MAC) you can use the other device for internet access.

This is of course not my “production” certificate. 🙂

Arbitrary code execution

As a first target I chose the x86 system because I thought it is more important.

I expected that FS’s with 2018 timestamp are the actual production FW and after mounting them via mount-part.sh upc-sub3.binX and exploring them, I found out that p3 contains a read-only root squashfs and p6 is writable ext3 partition and contains some configuration data. I also found out that p6 is mounted as /nvram in the system. Next, I was trying to find some init script which executes another script/binary from /nvram .

Modifying the contents of /nvram was easy just by mounting and manipulating it on my PC. The process was following:

  1. explore init scripts in squashfs and look for something executed from /nvram
  2. connect modem via reader to my PC
  3. mount /dev/sdc6 /mnt/tst
  4. create/mnt/tst/something which will run some command and redirect output to > /nvram/something.log
  5. chmod +x /mnt/tst/something
  6. umount, sync and disconnect the modem
  7. boot modem and wait few minutes
  8. turn the modem off and connect to PC
  9. check the presence/contents of /mnt/tst/something.log
  10. if not successful goto 1.

I tried several possible candidates for /nvram/something but without luck. So I needed to modify the root squashfs itself.

Modifying squashfs

Extracting was quite easy, I just run:

$ sudo unsquashfs upc-sub3.bin3
Parallel unsquashfs: Using 4 processors
2147 inodes (2598 blocks) to write
[======================================================================================================================================|] 2598/2598 100%
created 1284 files
created 135 directories
created 858 symlinks
created 0 devices
created 0 fifos

After that I edited one init script:

--- squashfs-root/etc/init.d/nvram    2018-03-20 11:56:47.000000000 +0100
+++ squashfs-root/etc/init.d/nvram 2019-03-09 16:49:13.030975974 +0100
@@ -179,6 +179,9 @@
echo "Please make sure partition $EMMC_PARTITION exist in emmc boot or partition $SPI_PARTITION exists in spi boot"
+ /nvram/startup.sh &

and packed back by running:

sudo mksquashfs squashfs-root/* upc-sub3.bin3.nocomp -comp xz -b 65536 -noappend

After that I copied the file to the real device:

sudo dd if=upc-sub3.bin3.nocomp of=/dev/sdc3 bs=1M

System analysis

Then I created /nvram/startup.sh with following contents:

cd /nvram/

/usr/sbin/brctl show &> brctl.log
lsmod > lsmod.log
uname -a > uname.log
ip a > ipa.log
ip r > ipr.log
ifconfig > ifconfig.log
mount > mount.log
netstat -an > netstat.log
ps > ps.log
iptables -L -n &> iptablesln.log



I let it run for a few minutes, turned off, connected back to my PC and checked results in /dev/sdc6. All log files were created with an interresting content, Perfect! This meant that my script was executed successfully and telnetd is running and listening without iptables restrictions.

This also revealed IP address but I was not able to connect to the running telnetd no matter what, the IP was not even pingable and my ultimate goal was to get shell access via telnet. But in netstat it showed established connections from which I expected to be the other ARM system. So I left if like this and started to attack the other system.

Later I have found out that to start a standard telnetd present in init scripts you only need to create file /nvram/sdk/docsis_relax

Exploiting the ARM core

This was basically a very similar story. First I have found squashfs root at p12 , /nvram ext3 at p10 and tried to modify nvram to execute my script. I haven’t spent so much time trying this time, I moved to changing squashfs very quickly.

After a few tries I managed to get my /nvram/startup.sh running by modifying following:

cat << EOF >> squashfs-root/etc/scripts/docsis_active.pcd 

COMMAND = /bin/bash /nvram/startup.sh

This file seems to be read by some kind of a proprietary process manager (pcd) which ensures all required services are running. I packed it back by running:

sudo mksquashfs squashfs-root/* upc-sub3.bin12.mod -comp xz -b 131072 -noappend

Inside /nvram/startup.sh I put:


/nvram/telnet.sh &

And into /nvram/telnet.sh:

while true
/sbin/utelnetd -p 23 -l /bin/bash
sleep 1

After booting the box… Shell access!

$ telnet
Connected to
Escape character is '^]'.

BusyBox v1.22.1 (2018-03-20 18:44:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# uname -a
Linux 3.12.14 #1 PREEMPT Tue Mar 20 18:43:41 CST 2018 armv6b GNU/Linux
# cat /proc/cpuinfo 
processor       : 0
model name      : ARMv6-compatible processor rev 4 (v6b)
Features        : swp half thumb fastmult edsp java tls 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xb76
CPU revision    : 4

Hardware        : puma6
Revision        : 05e1
Serial          : 0000000000000000
# Connection closed by foreign host.

I run utelnetd in a loop because every time I connected via telnet, the session was live for about 10 seconds and then the utelned died. I haven’t found out why, so I put it into a loop but it really annoyed me. The available command set was also quite limited:

# /bin/busybox
BusyBox v1.22.1 (2018-03-20 18:44:48 CST) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

Usage: busybox [function [arguments]...]
   or: busybox --list
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, add-shell, ash, awk, base64, basename, bash, blockdev,
        bootchartd, cat, chmod, chroot, conspy, cp, crond, crontab, cut, date,
        dd, dhcprelay, dmesg, dnsdomainname, du, dumpleases, echo, fgconsole,
        find, flashcp, flock, free, fstrim, ftpget, ftpput, getopt, grep,
        groups, halt, head, hexdump, hostname, ifconfig, init, insmod, iostat,
        ip, ipaddr, iplink, iproute, iprule, iptunnel, kill, killall, killall5,
        ln, logger, ls, lsmod, lsof, lspci, mkdir, mke2fs, mkfs.ext2, mknod,
        modinfo, mount, mpstat, mv, nanddump, nandwrite, nbd-client, netstat,
        ntpd, passwd, ping, ping6, pmap, poweroff, powertop, ps, pstree, pwd,
        pwdx, reboot, renice, rev, rm, rmmod, route, sed, setserial, sh,
        sha3sum, sleep, smemcap, sync, sysctl, tail, tar, test, tftp, time,
        top, tr, traceroute, traceroute6, tune2fs, ubiattach, ubidetach,
        ubimkvol, ubirmvol, ubirsvol, ubiupdatevol, udhcpc, udhcpd, umount,
        uname, unxz, users, vconfig, vi, wall, watchdog, wc, wget, which,
        whois, xz, xzcat

There was no telnet, nc, … so I started to research how to build my own (busybox) binary.


My best option was to use buildroot because it is very easy to use. I had no idea how to configure it so I checked some CPU info:

$ cat /proc/cpuinfo
 processor       : 0
 model name      : ARMv6-compatible processor rev 4 (v6b)
 Features        : swp half thumb fastmult edsp java tls 
 CPU implementer : 0x41
 CPU architecture: 7
 CPU variant     : 0x0
 CPU part        : 0xb76
 CPU revision    : 4
 Hardware        : puma6
 Revision        : 05e1
 Serial          : 0000000000000000

So I tried following:

After running make it has created following busybox binary:

$ file output/build/busybox-1.29.3/busybox
 output/build/busybox-1.29.3/busybox: ELF 32-bit MSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, with debug_info, not stripped

This is quite close to what we need

$ file bin/busybox
 bin/busybox: ELF 32-bit MSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, stripped

but the linked libraries may be different so it’s better to use statically linked binary. This can be done in a following way:

$ cd output/build/busybox-1.29.3/
$ make menuconfig
$ cd -
$ rm output/build/busybox-1.29.3/busybox
$ make busybox-rebuild
$ file output/build/busybox-1.29.3/busybox
output/build/busybox-1.29.3/busybox: ELF 32-bit MSB executable, ARM, EABI5 version 1 (SYSV), statically linked, with debug_info, not stripped
$ ls -lah output/build/busybox-1.29.3/busybox
 -rwxr-xr-x 1 root root 1.2M Jul  9 22:27 output/build/busybox-1.29.3/busybox

Cool, this is what we needed and after downloading to /var on the router and running, we’ve got:

# cd /var/
 Connecting to (
 busybox              100% |*|  1132k  0:00:00 ETA
# chmod +x busybox
# ./busybox
 BusyBox v1.29.3 (2019-07-02 17:07:42 CEST) multi-call binary.
 BusyBox is copyrighted by many authors between 1998-2015.
 Licensed under GPLv2. See source distribution for detailed
 copyright notices.
 Usage: busybox [function [arguments]…]
    or: busybox --list[-full]
    or: busybox --install [-s] [DIR]
    or: function [arguments]…
     BusyBox is a multi-call binary that combines many common Unix     utilities into a single executable.  Most people will create a     link to busybox for each function they wish to use and BusyBox     will act like whatever it was invoked as.
 Currently defined functions:
         [, [[, addgroup, adduser, ar, arch, arp, arping, ash, awk, base64, basename, blkid, bunzip2, bzcat, cat, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio,
         crond, crontab, cut, date, dc, dd, deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake,
         expr, factor, fallocate, false, fbset, fdflush, fdformat, fdisk, fgrep, find, flock, fold, free, freeramdisk, fsck, fsfreeze, fstrim, fuser, getopt, getty, grep, gunzip, gzip, halt,
         hdparm, head, hexdump, hexedit, hostid, hostname, hwclock, i2cdetect, i2cdump, i2cget, i2cset, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, ipcs,
         iplink, ipneigh, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, less, link, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls,
         lsattr, lsmod, lsof, lspci, lsscsi, lsusb, lzcat, lzma, lzopcat, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mke2fs, mkfifo, mknod, mkpasswd, mkswap, mktemp, modprobe,
         more, mount, mountpoint, mt, mv, nameif, netstat, nice, nl, nohup, nproc, nslookup, nuke, od, openvt, partprobe, passwd, paste, patch, pidof, ping, pipe_progress, pivot_root,
         poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, resume, rm, rmdir, rmmod, route, run-init, run-parts, runlevel, sed, seq,
         setarch, setconsole, setfattr, setkeycodes, setlogcons, setpriv, setserial, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, shred, sleep, sort, start-stop-daemon, strings, stty,
         su, sulogin, svc, svok, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tc, tee, telnet, telnetd, test, tftp, time, top, touch, tr, traceroute, true, truncate, tty,
         ubirename, udhcpc, uevent, umount, uname, uniq, unix2dos, unlink, unlzma, unlzop, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, w, watch, watchdog, wc, wget,
         which, who, whoami, xargs, xxd, xz, xzcat, yes, zcat

Very good. Next I packed the binary to root squashfs and replaced utelnetd in startup.sh with:

/bin/busybox.my telnetd -l /nvram/login.sh >/nvram/telnet.std 2>/nvram/telnet.err

login.sh performs some basic authentication a throws you into shell. After this, the telnet connection dropped never again. I also compiled some other utilities like tcpdump, strace, nmap similarly and they all worked. This was all I needed to better look around in the system.

Adding a static route

The routing/firewalling on this device is a mess because it has to deal with a management interface, “inter-CPU” network, internal network, WiFi, BPI interface, IPv6 routing, AFTR, etc. It has several route tables but the one I was interrested was table “3”:

# ip route list table 3
 default dev ip6tnl1  scope link dev l2sd0.2  scope link dev lsdbr2  scope link 

So all I needed at the end was to run:

# ip route add via table 3

Problem solved, job’s done.

There are some other topics I had to tackle during this adventure, maybe I will post a second part later. If you have any questions or comments please ask bellow.


53 thoughts on “About adding a static route to my DOCSIS modem”

    1. It depends. If you know the wear algorithm for eMMC controller maybe but this is not the case. And I think the device + SW is much more expensive than a SD card reader.

      1. Wow, thank you so much. I will try this solution as soon as i have the SD breakout board.
        Do you think there is a possibility to get a shell via fuzzing the running RPC services as described in security report? (TCP/38539: RPC management server and TCP/44003: RPC reverse server). I would like to connect to those open ports but have no idea how to simulate a rpc client.

  1. I instead of connecting the wires in the traces I could connect the wires straight to the Phison PS8211-0 could I read the memory the same way?

  2. Hi, thank you for your research. I got the 128MB dump. PS8811 is just a controller chip right? Or does he realy contain a own internal 128MB flash?

    Nand on second side of pcb is in my device: MX30LF1G18AC = 1 GB

    Manual from NAND:

    I just asking because they are also talking about two nand chip:

  3. Hello! U did mention about ip… I saw in my arris modem logfile strange “dos attack” while ago, i dont have any lan networks in that ip range. I saw later in site that uses shodan, that from behind my current ip in that time, was used to scan about month, ports 23, 2323.

    Do you have idea what that “DOS” is? Is it something like “mirai “etc. make happend or is that arris modem trying to brutforcing it self to change settings? =).

    from log:
    “” 2019-11-27 18:51:51.00 [DOS]UDP Packet – Source:,1013 Destination:,37195
    2019-11-27 18:52:00.00 [DOS]UDP Packet – Source:,677 Destination:,37195… “

    1. There are two screws. One under the sticker describing ports roughly above port 4 and one under front LED cover.

      1. Thanks that helped. It appears though that I have two Torx screws under the LED cover (which can easily be detached, I used a flat screw driver). So 3 screws in total. Unfortunately I don’t own the correct Torx screw driver size at the moment.

  4. Hello. What an impressive project!
    I was wondering where the two serial access headers are? Thanks.

  5. Hi, nice job! Thanks for sharing!
    Is there a way to recovery a delete /dev/mmcblk0p10, indeed I overwrite it with other mmcblk0p10 dump.
    Perhaps there is a second copy around.
    Thanks once again.

  6. Hi danman. Nice project! I have also connected all the wires to an TS-RDF5A (CM,CLK,DAT0,GND,VCC) but nothing happens. Do you have any advice?

  7. I think the pcd you mentioned is called Process Control Daemon, widely used as a startup tool in embedded devices. Nice Project!!

  8. Excellent! well explained and led me to keep researching. Your technique seems to have involved some time and I would love to read a second part with minor details.
    My only question is how you get to this point:
    “Later I have found out that to start a standard telnetd present in init scripts you only need to create file /nvram/sdk/docsis_relax”
    Kudos from Argentina!

    1. There is a script called by serveral init scripts `etc/init.d/init_docsis_comply` which checks for presence of docsis_relax file:
      if [ ! -f “/nvram/sdk/docsis_relax” ]; then
      message=”${parent_script}is being skipped.”;
      message=”$message Precluded by DOCSIS compliance.”;
      echo “$message”;
      # Note that this is a successful exit as we are not
      # _supposed_ to do anything.
      #exit 0;

  9. hi. i am trying to hack an arris TG3422 aka vodafone station.
    i followed all the steps, have the trancend sd card reader, but when i plug it in the pc nothing happens.
    can you please tell me which pins exactly you connected on the emmc phison?
    i connected following:
    22: CLK
    25: DAT0
    31: CMD
    33: VCC
    and one ground.
    the routed was powered down.

    what am i doing wrong?

    1. Be careful, it is possible that you burn your cpu, remember that puma7 works in 1.8v the logical levels and the phison IC is connected directly to the cpu xD you could use a pulldown resistor in Dat0 for one to use sd breakout low voltage …

  10. do you know if this has a 12v easily accessable somwhere – mines overheating, and i’ve already replaced thermal paste – would like to add a quiet fan

  11. Hi!

    I tried to also read the eMMC from one of these routers but I can’t seem to get the SD card reader (same transcend reader but I used an SD instead of micro SD breakout) to connect to the eMMC. At first I tried at 1.8V using an exploitee.rs low voltage SD/eMMC adapter and I switched to using the 3.3V interface directly after measuring the VCC line at 3.3V while the router was powered up.
    As the SD reader couldn’t supply enough current to the 3.3V rail I used a lab bench supply to power the eMMC VCC line (it drew about 100mA which seems ok).
    Just to confirm: The data0 pin in your pinout above is correct and you also used the 1-Bit mode of the chip? Is there anything else you did (like hold the CPU in reset or power the whole router)?


    1. Hi,

      on CH7465 the eMMC VCC rail doesn’t backpower the router but for example on Hitron CGNV4 it powers the ethernet switch so I had to find the reset pin of the switch IC and pull it high.

      1. Hi thanks for the quick reply!

        I managed to find the problem. Without the low voltage adapter directly connected to the SD card reader it works (powered via lab power supply). I just used a faulty jumper wire to bridge the card-detect pin.

    2. Hello Jakob,

      Could you help me out with the 3v abd ground line?

      As far as I understand 3v goes from the pcb to a 3v source, but where on the pcb is the 3v line?

      I have the same question for ground. Do I connect the ground pin on the SD card to ground on the pcb? Where on the pcb is ground?

      I hope you get to see this message!
      Thanks in advance

      1. Hi Boris!

        The 3.3V line is the VCC pin of the eMMC controller (pinout is listed in the blog post).
        GND is easy to find (all the big ground planes on the PCB).
        GND needs to be connected to the SD card reader.
        3.3V can be supplied by the SD card reader, I had better success supplying the 3.3V line from a lab bench supply though

  12. Hey Dan, having similar issues to jacob. Tried using a medusa pro 2 emmc reader, an sd card style and an RT809H all to no luck. The RT809H only relies on D0 however.

    You mentioned you had to hold your reset pin high on the eth controller on a Hitron you did recently? I’m working on a Hitron-CGNM. – https://fccid.io/U4P-CGNM

    I’ve tried bench power supplies, and just the programmer. I noticed with my good programmers an LED is illuminated on board indicating im powering at least some sort of rail. Id figured the bench supply would fix that.

    The eth chipset is similar to the hitron you mentioned but mine is from Canada and the other, Virgin UK. Did it use the 144pin eth controller with the leaked datasheet? If not, can you give me some insight on where/how you held reset high? I read the datasheet and whilst usually you’d want to hold reset low on a cpu for isp programming, this chipset seems to go into a test mode when reset is high. Did you supply the eth controllers 1.3v vdd or the 3.3 from the programmer. Any reply helps.

  13. Hello Daniel,

    I am trying to do the same thing on the same modem and I have a few questions.
    In your improved connection setup I see 7 wires that are connected to the PCB, but your SD extension has 8 wires. Where should I connect the 8th wire?

    On your PCB photo you have labeled 5 wires but where do the other 3 wires connect to? What pins are they on the SD card?

    How do you go about exposing the copper traces on the PCB so you can solder to them?

    Finally, is it okay to re-use the original thermal pad?

    Thank you in advance, Happy holidays and a Happy New Year!

      1. When I opened the modem and lifted the heatsink it had a small thermal pad attached to it. (about 10×10 mm).
        I am not sure if a new thermal pad should be used when I connect the heatsink again. It isn’t damaged so I am going to leave it on.

        I was thinking about leaving the Sd card breakout extension on the modem after I reconnect the heatsink.

        Are you saing that 3 wires are enough to read and write from the modem’s emmc? Just CLK, CMD and Dat0? Where is ground on the pcb?

        Sorry for so many beginner’s questions. I have ordered an sd breakout board on amazon after ruining two pcbs from two micro Sd card adapters. I am going to let you know if I succeed, but I have a good feeling about this.

          1. It looks like my first attempt was not successful.
            I am going to attach some photos.

            I ended up killing the board. I think I lifted two copper traces. Perhaps I need much smaller wires and a soldering iron that has a much smaller tip. I am using a 15W iron which probably isn’t enough either.

            Here are some photos of my failed attempt. Any suggestions are welcome.

      2. Hello I have just read about different bit modes. So far I understand everything, apart from ground.

        Can you power the emmc using the SD card or do you need to power the modem and somehow hold the cpu on reset? Where do u find ground?

        I am going to try and use my generic USB c hub with a builtin Sd card reader and hope it supports the 1bit mode.

        Also don’t be confused about my different IP addresses. I am using a sim card from a country which provides a much bigger data limit. All sim cards work within the EU without roaming charges so it is possible to find a sim card with near unlimited data and use it in another EU country 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.