Strange Telnet and SSH interface on Ubee DDW36C

[Anonymous941]

I'm trying to dump my Ubee DDW36C's flash.

I managed to get the username and password via GatewaySettings.bin, but when I try to run any command:

$ bcm2dump -vv -L io.log info '192.168.0.1,technician,R3moteAWGM!g'
bcm2dump v0.9.8-26-gbf8da8b
telnet: received command 250,24
telnet: received command 240,256
telnet: received command 251,1
telnet: received command 251,3

error: telnet: interface auto-detection failed

context:
  ==> 'Ubee Cable Modem'
  ==> (empty)
  ==> 'login:'
  <== ''
  ==> (empty)
  ==> 'password:'
  <== ''

Connecting via SSH and Telnet both give me the same results: some strange, limited interface.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc technician@192.168.0.1
technician@192.168.0.1's password: 
Ubee Cable Modem

>?
arpclear            Clear ARP table
arp-storms          ARP Storm configurations
authentication      Authentication Configuration
banner              Banner-text
copy                Copy command
dhcp                DHCP commands
dns                 Assign domain name server
exit                Disconnect
firewall            Enable/Disable firewall
filter-Proxy        Filter Proxy
filter-Cookies      Filter Cookies
filter-JavaApplets  Filter Java Applets
filter-ActiveX      Filter ActiveX
filter-PopupWindows Filter Popup Windows
fragmented-ip       Block fragmented IP packets
ipFlood-Detection   IP Flood Detection
portScan-Detection  Port Scan Detection
host-name           Host name command
interface           Interface commands
nat                 Configure NAT settings
nvram               NVRAM command
oper-mode           Configure the system operation mode
ping                Ping specified IP address
pwd                 Change password
reset               Resetting system
rip                 RIP commands
route               Static route command
show                Show commands
sip-alg             Display SIP_ALG status
set-customer-info   customer-info
snmp-configuration  SNMP Configuration
write               Write configuration to nvram

>show
Incomplete command.

>show nvram    
Invalid : nvram

>nvram get
Invalid : get

>nvram dump
Invalid : dump

>help nvram
Invalid : help

>write
Writing successfully....

>su
Invalid : su

>sudo
Invalid : sudo

>shell
Invalid : shell

>bash
Invalid : bash

>sh
Invalid : sh

>exit
Connection to 192.168.0.1 closed by remote host.
Connection to 192.168.0.1 closed.

I'm not sure what to do, or how to dump this router's flash. TFTP and SNMP both cause the connection to be closed.

---

I tried opening it up, and I've found what appear to be UART wires, but I can't figure out its BAUD rate. Everything I try just gives me gibberish.

Does anyone have any ideas?

[Anonymous941]

I factory reset it and disconnected coax, but I can't use SNMP - it returns Timeout: No Response from 192.168.0.1.
@jclehner Have you encountered a limited shell like this before?

[jclehner]

I can't figure out its BAUD rate. Everything I try just gives me gibberish.

What baud rates did you try? Every Broadcom modem I've worked on used 115200 bps.

[Anonymous941]

What baud rates did you try? Every Broadcom modem I've worked on used 115200 bps.

That's the first one I tried. I also tried 50, 75, 110, 134, 150, 200, 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 38400, 57600, 78600, 230400, 460800, 57600 and 921600. Maybe it's not UART? Or is BPS different from BAUD? There are only 5 pins: GND, TX, VCC, RX, GND

I had a breakthrough with that shell though, I figured out that by pressing ? after typing a command, it tells you the arguments. copy claims to let you copy the "image" (I'm assuming that's the flash) via TFTP, but I tried it and it just said failed without attempting to make a connection

But snmp-configuration lets me enable SNMP and even set the community string! The problem is, I have no idea how to enable the standard shell

I'll write a program to scrape the command help, and then once I can disconnect the WiFi (SSH and Telnet only work with coax disconnected) I'll run it and hopefully something will work

[jclehner]

That's the first one I tried. I also tried 50, 75, 110, 134, 150, 200, 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 38400, 57600, 78600, 230400, 460800, 57600 and 921600. Maybe it's not UART? Or is BPS different from BAUD?

It's the same. The other settings are usually 8 bits of data, no parity, 1 stop bit (aka 8N1) - maybe this devices uses parity? Or 2 stop bits?

[Anonymous941]

Finally got it to stop showing gibberish, but now it's showing me this

sudo stty -F /dev/serial0 115200 inlcr
sudo screen /dev/serial0

Error - what Unknown command:  'CM> CM> '

CM> 
CM> 
CM> 
CM> 
CM> 
CM> 
CM> 
CM> Error - what Unknown command:  'CM> '

Error - what Unknown command:  'Error - what Unknown command:  'CM> ''

CM> 
CM> 
CM> 
CM> 
CM> 
CM> 
CM> 
CM> CM> 
command:  'CM> '

[Anonymous941]

Okay, somehow that issue resolved itself. Thanks for your help so far, this is progress at least! Now I'm stuck with it showing the scanning log but no prompt

[Anonymous941]

Wait a minute, never mind! It turned out to be an issue with the Raspberry Pi console, and now it's working! I've got access to a CM shell, finally. Tomorrow I can try to run bcm2dump and hopefully post the flash. Thanks so much for helping

[Anonymous941]

@jclehner Here's a dump of everything mentioned in the README, let me know if I can help make the profile

[Anonymous941]

Closing as this issue is resolved, continuing on #65