What is the approach to decrypt unknown GatewaySettings.bin?

[tosbaha]

Hi,
I am trying to decrypt my modem's GatewaySettings.bin file. I tried different profiles but it doesn't seem to work. When I check the file with hex editor, I saw B2 3E AD 05 34 75 2B 6F over and over again. So I think maybe this file is using static xor key. How can I test my theory? I don't have access to the firmware. I hope maybe this file have username and password for the telnet so that I can dump the firmware.

[jclehner]

Send me the file via email, and I'll see what I can find out! What device is this?

…

On Thu, Nov 15, 2018, 16:33 Mustafa Dur ***@***.*** wrote: Hi, I am trying to decrypt my modem's GatewaySettings.bin file. I tried different profiles but it doesn't seem to work. When I check the file with hex editor, I saw B2 3E AD 05 34 75 2B 6F over and over again. So I think maybe this file is using static xor key. How can I test my theory? I don't have access to the firmware. I hope maybe this file have username and password for the telnet so that I can dump the firmware. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#7>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABN32tqaCRuKaeEXsKDAXnE4ER8g_eS0ks5uvYlGgaJpZM4YgCMf> .

[tosbaha]

I don't know your email, so I am attaching here. [redacted] I downloaded settings file three times. I compared them, interestingly, first one's header is different than the other two. Model number is CBW-383ZN at its documentation is at http://netmaster.com.tr/files/prod//B9jG01GTDK.NETMASTER-CBW-383ZN-KULLANIM-KILAVUZU.PDF Last page says that it is produced by Castlenet Techology Inc.

[jclehner]

This looks like a 64bit block cipher in ECB mode, most likely DES or 3DES. This explains the repated blocks of 6F B2 3E AD 05 34 75 2B, which correspond to 00 00 00 00 00 00 00 00. Unfortunately, this means that a firmware dump is required to get at the default key. Do you have telnet and/or SNMP access?

[tosbaha]

I have telnet but I can't login because I don't know the password. I see the usual telnet banner

Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008
WARNING:  Access allowed by authorized users only.

ISP doesn't tell me the password. I don't know about the SNMP though. I tried to check port 161 and it seems closed.

[jclehner]

Try this: disconnect the coax cable, then reset the device to factory defaults. Disable any "firewall" settings in the web interface. Then check if you have SNMP access. If you do, try the following:

snmpset -v2c -c public 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0 s "username"
snmpset -v2c -c public 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0 s "password"

This should set the telnet username and password. In any case, do an snmpwalk and send me the resulting file. If 192.168.0.1 doesn't work, try 192.168.100.1.

[tosbaha]

I think I did something. I enabled an option and rebooted the device. I issued following command

snmpwalk -v 2c -c freerange 192.168.0.1  system

SNMPv2-MIB::sysDescr.0 = STRING: CBW-383ZN <<HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.4.0; SW_REV: 0081.545.392116mp5.799.009; MODEL: CBW-383ZN>>
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.4413.2.1.6
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (4900) 0:00:49.00
SNMPv2-MIB::sysContact.0 = STRING: (unknown)
SNMPv2-MIB::sysName.0 = STRING: CableHome
SNMPv2-MIB::sysLocation.0 = STRING: (unknown)
SNMPv2-MIB::sysServices.0 = INTEGER: 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::enterprises.4413.2.3.2.5
SNMPv2-MIB::sysORDescr.1 = STRING: An agent which supports all MIBs required by the DOCSIS 3.0 OSS specification.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

However after couple of seconds, that command didn't work again. I guess it is disabling itself. So I should remove the coax cable I guess. I don't want to brick my internet connection right now. So I will try to set username and password tomorrow and let you know. What I should do next after I set the username and password? I am using macOS, so I guess I should either get a windows or a linux machine to try to dump the firmware. Is the following command correct?

bcm2dump dump 192.168.0.1,username,password

[jclehner]

SNMP is usually disabled by the ISP once the modem registers on the network. The command to try would be

bcm2dump dump 192.168.0.1,username,password flash image1 image1.bin

but it's possible that you only have access to a limited shell, in which case you could try

bcm2dump dump 192.168.0.1,username,password ram 0x80004000,16M image1.bin

Both bcm2dump and bcm2cfg work on macOS (binaries available here, but for best results compile from the latest sources).

[tosbaha]

OK I will try tomorrow and let you know. AFAIK, binaries don't include macOS, only windows, linux and source code. I have vm I can try from there. I will report back. Will telnet username and password will be reverted back, when modem connects to ISP again? Does GatewaySettings.bin have telnet username and password, so that if I restore, I will get my old settings back? Thanks once again for the help. I will tell the results tomorrow since I don't want my family to freak out and yell to me if internet goes away 😅

[tosbaha]

UPDATE:
Can't set the username and password because it says

snmpset -v2c -c public 192.168.0.1 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0 s "username"
Error in packet.
Reason: notWritable (That object does not support modification)
Failed object: SNMPv2-SMI::enterprises.4413.2.2.2.1.1.1.2.0

Anyway, I got lucky and I learned the username and password from the manufacturer 😄
I tried the first command you said

./bcm2dump dump 192.168.0.1,username,password flash image1 image1.bin

I got

failed to switch to super-user; some functions might not work
error: telnet: read incomplete chunk 0x814e8eac: 0/16

I tried the second command
./bcm2dump dump 192.168.0.1,username,password ram 0x80004000,16M image1.bin

and again gave me the same response. I compiled from the source and tried on macOS.

I also tried the above commands on Ubuntu 18 again same error.

PS: I have found two username and password pair second pair is below

H@ly_Je$u$,Ble$$_Y@u>>^.^Day However, I can't use this because of >> chars. I can login with this password via telnet but bcm2dump doesn't support it because terminal eats those chars and bcm2dump treats " as a part of password.

[jclehner]

The trick is to put the quotes around the whole <ip>,<username>,<password> block, like so (also use -P generic and -vv):

./bcm2dump -vv -P generic dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram 0x80004000,16M image1.bin

[tosbaha]

I tried but again it didn't work

./bcm2dump -vv -P generic dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram 0x80004000,16M image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
failed to switch to super-user; some functions might not work
dumping ram:0x80004000-0x81003fff (16777216 b)
 ---.--% (0x80004000)      0 |     0  bytes/s (ETA      00:00:00)
read incomplete chunk 0x80004000: 0/8192; retrying

read incomplete chunk 0x80004000: 0/8192; retrying

read incomplete chunk 0x80004000: 0/8192; retrying

read incomplete chunk 0x80004000: 0/8192; retrying

read incomplete chunk 0x80004000: 0/8192; retrying

error: read incomplete chunk 0x80004000: 0/8192

context:
  <== ''
  ==> (empty)
  ==> 'Console> '
' <== '/read_memory -s 4 -n 8192 0x80004000
  ==> '/read_memory -s 4 -n 8192 0x80004000/read_memory -s 4 -n 8192 0x80004000'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 8192 0x80004000''
  ==> (empty)
  ==> 'Console> '
  <== ''
  ==> (empty)
  ==> 'Console> '
' <== '/read_memory -s 4 -n 8192 0x80004000
  ==> '/read_memory -s 4 -n 8192 0x80004000/read_memory -s 4 -n 8192 0x80004000'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 8192 0x80004000''
  ==> (empty)
  ==> 'Console> '
  <== ''
  <== ''
  ==> (empty)
  ==> 'Console> '
' <== '/read_memory -s 4 -n 8192 0x80004000
  ==> (empty)
  ==> 'Console> '
  ==> '/read_memory -s 4 -n 8192 0x80004000/read_memory -s 4 -n 8192 0x80004000'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 8192 0x80004000''
  ==> (empty)
  ==> 'Console> '
  <== ''
  ==> (empty)
  ==> 'Console> '
' <== '/read_memory -s 4 -n 8192 0x80004000
  ==> '/read_memory -s 4 -n 8192 0x80004000/read_memory -s 4 -n 8192 0x80004000'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 8192 0x80004000''
  ==> (empty)
  ==> 'Console> '
  <== ''
  ==> (empty)
  ==> 'Console> '
' <== '/read_memory -s 4 -n 8192 0x80004000
  ==> '/read_memory -s 4 -n 8192 0x80004000/read_memory -s 4 -n 8192 0x80004000'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 8192 0x80004000''
  ==> (empty)
  ==> 'Console> '
' <== 'exit
  ==> (empty)

[jclehner]

Is this the latest version of bcm2dump?

[tosbaha]

Yes I used ubuntu and downloaded from the releases page. I also compiled from the source for the macOS. I think maybe they have disabled /read_memory command? Because when I login with telnet I see the following when I wrote help

Console> help
help

!               ?               REM             call            cd
dir             find_command    help            history         instances
ls              man             pwd             sleep           syntax
system_time     usage
----
dieTemperature  exit            reset           set             show
----
[cm] [eRouter] [emta] [ethernet] [ftpLite] [pingHelper] [system] [vendor]
[wifi]

Btw first user doesn't show anything when I type help but second user(H@ly_Je$u$) shows above.

[jclehner]

Try

cd system
help
help diag

What does that show?

[tosbaha]

Console/system> help
help

!               ?               REM             call            cd
dir             find_command    help            history         instances
ls              man             pwd             sleep           syntax
system_time     usage
----
diag            pktlog          set             show
----

Console/system> help diag
help diag

COMMAND:  diag

USAGE:  diag  [-p] [-c] [-s ParmSValue] [-n ParmNValue] [readmem|writemem|clear_debug_counters|show_debug_counters|set_debug_flow|snmp_reset|stale_nd] [Parm2] [Parm3]

DESCRIPTION:
Executes diag commands of the system


EXAMPLES:
readmem -s 4 -n 64 0x80001234  -- Reads 64 bytes as 32-bit values.
writemem 0x80001234 0x56       -- Write a byte to the address.
clear_debug_counters           -- Clear UTP debug counters.
show_debug_counters            -- Show debug counters for a selected flow.
set_debug_flow 0               -- Enable debug counters for the selected
                                  flow.
snmp_reset                     -- Reset sockets for all SNMP agents.
stale_nd                       -- Stale a ND entry.


---------------------------------------------------------------------------

[jclehner]

Please try compiling from the latest sources. The last release contains a bug that doesn't use /system/diag readmem in your case!

UPDATE: or, try the latest version, v0.9.2 (with macOS binaries too!).

[tosbaha]

I tried with macOS. It compiles but it didn't work as I said.

./bcm2dump -vv -P generic dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram 0x80004000,16M image1.bin

telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1

error: telnet: interface auto-detection failed

context:
  <== ''
  <== ''
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> 'Login: '
  ==> 'Password: '
  ==> (empty)
  ==> 'Invalid login...'
  ==> (empty)
  ==> 'Login: '

As you see, it can't get the username and password on macOS if there is a '

I tried to compile on Ubuntu but it fails to compile

$ git clone https://github.com/jclehner/bcm2-utils
$ cd bcm2-utils/
$ make
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor io.cc -o io.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor rwx.cc -o rwx.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor interface.cc -o interface.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor ps.cc -o ps.o
g++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor   -c -o bcm2dump.o bcm2dump.cc
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor util.cc -o util.o
cc -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" progress.c -o progress.o
cc -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" mipsasm.c -o mipsasm.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor profile.cc -o profile.o
cc -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\"   -c -o profiledef.o profiledef.c
g++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor io.o rwx.o interface.o ps.o bcm2dump.o util.o progress.o mipsasm.o profile.o profiledef.o -o bcm2dump 
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor nonvol2.cc -o nonvol2.o
g++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor   -c -o bcm2cfg.o bcm2cfg.cc
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor nonvoldef.cc -o nonvoldef.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor gwsettings.cc -o gwsettings.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor crypto.cc -o crypto.o
g++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor util.o nonvol2.o bcm2cfg.o nonvoldef.o gwsettings.o profile.o profiledef.o crypto.o -o bcm2cfg  -lssl -lcrypto 
g++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.1-37-g4889428\" -std=c++14 -Wnon-virtual-dtor   -c -o t_nonvol.o t_nonvol.cc
t_nonvol.cc: In function ‘void {anonymous}::test_group()’:
t_nonvol.cc:98:61: error: no matching function for call to ‘bcm2cfg::nv_group::read(std::stringstream&, bcm2dump::sp<bcm2cfg::nv_group>&, const int&, std::__cxx11::basic_string<char>::size_type)’
  nv_group::read(istr, group, nv_group::fmt_dyn, data1.size());
                                                             ^
In file included from t_nonvol.cc:20:0:
nonvol2.h:950:23: note: candidate: static std::istream& bcm2cfg::nv_group::read(std::istream&, bcm2dump::sp<bcm2cfg::nv_group>&, int, size_t, bcm2dump::csp<bcm2dump::profile>&)
  static std::istream& read(std::istream& is, sp<nv_group>& group, int format,
                       ^~~~
nonvol2.h:950:23: note:   candidate expects 5 arguments, 4 provided
nonvol2.h:972:24: note: candidate: virtual std::istream& bcm2cfg::nv_group::read(std::istream&)
  virtual std::istream& read(std::istream& is) override;
                        ^~~~
nonvol2.h:972:24: note:   candidate expects 1 argument, 4 provided
t_nonvol.cc:103:62: error: no matching function for call to ‘bcm2cfg::nv_group::read(std::stringstream&, bcm2dump::sp<bcm2cfg::nv_group>&, const int&, std::__cxx11::basic_string<char>::size_type)’
   nv_group::read(istr, group, nv_group::fmt_dyn, data1.size());
                                                              ^
In file included from t_nonvol.cc:20:0:
nonvol2.h:950:23: note: candidate: static std::istream& bcm2cfg::nv_group::read(std::istream&, bcm2dump::sp<bcm2cfg::nv_group>&, int, size_t, bcm2dump::csp<bcm2dump::profile>&)
  static std::istream& read(std::istream& is, sp<nv_group>& group, int format,
                       ^~~~
nonvol2.h:950:23: note:   candidate expects 5 arguments, 4 provided
nonvol2.h:972:24: note: candidate: virtual std::istream& bcm2cfg::nv_group::read(std::istream&)
  virtual std::istream& read(std::istream& is) override;
                        ^~~~
nonvol2.h:972:24: note:   candidate expects 1 argument, 4 provided
<builtin>: recipe for target 't_nonvol.o' failed
make: *** [t_nonvol.o] Error 1

[jclehner]

Do git pull && make. I've fixed this issue a few minutes ago!

[tosbaha]

It compiled but now I have this. I really don't get it. Single quote for password was working before. What I am doing wrong?

./bcm2dump -vv -P generic dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram 0x80004000,16M image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1

error: telnet: interface auto-detection failed

context:
  <== ''
  <== ''
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> 'Login: '

I tried once again the same command and this time worked! I don't know what was wrong. Here is the image file I extracted. [redacted]

[jclehner]

I've pushed 7873f93, which adds support for your device. The encryption used was DES in ECB mode, as predicted. Expect more updates...

[jclehner]

Using the latest commit (89fd3bc), please try the following:

bcm2dump -vv dump "192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day" flash image1,auto image1.bin
bcm2dump -vv dump "192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day" flash bootloader,64k bootloader.bin

[tosbaha]

Again, I am blocked lol 😅 I don't know why but I guess your telnet login code has flaws look at the output.

$ ./bcm2dump -vv dump "192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day" flash image1,auto image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> 'Login: '
' <== 'H@ly_Je$
  ==> 'H@ly_Je$'
  ==> 'Password: '
' <== 'Ble1824_Y@u>>^.^Day
  <== ''
  ==> (empty)
  ==> (empty)
  ==> 'Invalid login...'

Currently, I can't reset the device. However, I will reset and try above commands again. I also try to decrypt the files and yes this time it worked. I see the settings. Thanks once again 😀

PS: I really want to learn how to RE firmware files. I tried to binwalk -e to extract the files but I don't know how should I proceed. I will really appreciate if you can tell me how did you find out it was DES and key.

[jclehner]

Use single quotes instead of double quotes, otherwise the shell will try to substitute $u, and will use only H@ly_Je$ as the login!

Regarding the ram dump you sent me, there's nothing to extract. These firmwares are basically one giant app (based on eCos), running directly on the system, so there's no filesystem, and no executable format.

[jclehner]

If you find the time, please post the output of

system/show flash

and

show version

Thanks!

[tosbaha]

Hi again.
Two dump commands you send didn't work. Here is the output for each of them

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16

read incomplete chunk 0x82f00014: 0/16; retrying
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
profile auto-detection failed
failed to switch to super-user; some functions might not work

error: cannot create non-ram rwx object without a profile

context:
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
  ==> (empty)
  ==> 'Console> '
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
' <== '/system/diag readmem -s 4 -n 16 0x814e8eac
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x814e8eac/system/diag readmem -s 4 -n 16 0x814e8eac'
  ==> (empty)
  ==> '814e8eac: ba63c706  b3ba174b  45908c95  30e26b7b | .c.....KE...0.k{'
' <== '/system/diag readmem -s 4 -n 16 0x814e953c
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x814e953c/system/diag readmem -s 4 -n 16 0x814e953c'
  ==> (empty)
  ==> '814e953c: 6f9f01d9  9f2210ea  294b370f  7c8feac9 | o...."..)K7.|...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x83f8e618
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x83f8e618/system/diag readmem -s 4 -n 16 0x83f8e618'
  ==> (empty)
  ==> '83f8e618: 057d0594  05b7055c  05f505ff  05860642 | .}.....\.......B'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== 'su
  ==> (empty)
  ==> 'Console> susu'
  ==> (empty)
  ==> 'Error - what Unknown command:  'su''
  ==> (empty)
  ==> 'Console> '
' <== 'exit
  ==> (empty)

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash bootloader,64k bootloader.bin

telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
profile auto-detection failed
failed to switch to super-user; some functions might not work

error: cannot create non-ram rwx object without a profile

context:
' <== '/system/diag readmem -s 4 -n 16 0x80f89da0
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80f89da0/system/diag readmem -s 4 -n 16 0x80f89da0'
  ==> (empty)
  ==> '80f89da0: 7235676d  00000000  72786761  696e6572 | r5gm....rxgainer'
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
' <== '/system/diag readmem -s 4 -n 16 0x814e8eac
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x814e8eac/system/diag readmem -s 4 -n 16 0x814e8eac'
  ==> (empty)
  ==> '814e8eac: ba63c706  b3ba174b  45908c95  30e26b7b | .c.....KE...0.k{'
' <== '/system/diag readmem -s 4 -n 16 0x814e953c
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x814e953c/system/diag readmem -s 4 -n 16 0x814e953c'
  ==> (empty)
  ==> '814e953c: 6f9f01d9  9f2210ea  294b370f  7c8feac9 | o...."..)K7.|...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x83f8e618
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x83f8e618/system/diag readmem -s 4 -n 16 0x83f8e618'
  ==> (empty)
  ==> '83f8e618: 057d0594  05b7055c  05f505ff  05860642 | .}.....\.......B'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== 'su
  ==> (empty)
  ==> 'Console> susu'
  ==> (empty)
  ==> 'Error - what Unknown command:  'su''
  ==> (empty)
  ==> 'Console> '
' <== 'exit

system/show flash

Flash Device Information:

      CFI Compliant: no
        Command Set: Generic SPI Flash
   Device/Bus Width: x16
 Little Word Endian: no
    Fast Bulk Erase: no
    Multibyte Write: 256 bytes max
  Phys base address: 0xbadf1a5
 Uncached Virt addr: 0x1badf1a5
   Cached Virt addr: 0x2badf1a5
   Number of blocks: 513
         Total size: 33554432 bytes, 32 Mbytes
       Current mode: Read Array
        Device Size: 32 MB, Write buffer: 256, Flags: 0x1

      Size  Device      Device     Region
Block  kB   Address     Offset     Offset   Region Allocation
----- ---- ---------- ----------- --------- -----------------
    0   32 0x1badf1a5           0         0 Bootloader
    1   32 0x1bae71a5      0x8000    0x8000 Bootloader (65536 bytes)
    2   64 0x1baef1a5     0x10000         0 Permanent NonVol (65536 bytes)
    3   64 0x1baff1a5     0x20000         0 Image1
    4   64 0x1bb0f1a5     0x30000   0x10000 Image1
    5   64 0x1bb1f1a5     0x40000   0x20000 Image1
    6   64 0x1bb2f1a5     0x50000   0x30000 Image1
    7   64 0x1bb3f1a5     0x60000   0x40000 Image1
    8   64 0x1bb4f1a5     0x70000   0x50000 Image1
    9   64 0x1bb5f1a5     0x80000   0x60000 Image1
   10   64 0x1bb6f1a5     0x90000   0x70000 Image1
   11   64 0x1bb7f1a5     0xa0000   0x80000 Image1
   12   64 0x1bb8f1a5     0xb0000   0x90000 Image1
   13   64 0x1bb9f1a5     0xc0000   0xa0000 Image1
   14   64 0x1bbaf1a5     0xd0000   0xb0000 Image1
   15   64 0x1bbbf1a5     0xe0000   0xc0000 Image1
   16   64 0x1bbcf1a5     0xf0000   0xd0000 Image1
   17   64 0x1bbdf1a5    0x100000   0xe0000 Image1
   18   64 0x1bbef1a5    0x110000   0xf0000 Image1
   19   64 0x1bbff1a5    0x120000  0x100000 Image1
   20   64 0x1bc0f1a5    0x130000  0x110000 Image1
   21   64 0x1bc1f1a5    0x140000  0x120000 Image1
   22   64 0x1bc2f1a5    0x150000  0x130000 Image1
   23   64 0x1bc3f1a5    0x160000  0x140000 Image1
   24   64 0x1bc4f1a5    0x170000  0x150000 Image1
   25   64 0x1bc5f1a5    0x180000  0x160000 Image1
   26   64 0x1bc6f1a5    0x190000  0x170000 Image1
   27   64 0x1bc7f1a5    0x1a0000  0x180000 Image1
   28   64 0x1bc8f1a5    0x1b0000  0x190000 Image1
   29   64 0x1bc9f1a5    0x1c0000  0x1a0000 Image1
   30   64 0x1bcaf1a5    0x1d0000  0x1b0000 Image1
   31   64 0x1bcbf1a5    0x1e0000  0x1c0000 Image1
   32   64 0x1bccf1a5    0x1f0000  0x1d0000 Image1
   33   64 0x1bcdf1a5    0x200000  0x1e0000 Image1
   34   64 0x1bcef1a5    0x210000  0x1f0000 Image1
   35   64 0x1bcff1a5    0x220000  0x200000 Image1
   36   64 0x1bd0f1a5    0x230000  0x210000 Image1
   37   64 0x1bd1f1a5    0x240000  0x220000 Image1
   38   64 0x1bd2f1a5    0x250000  0x230000 Image1
   39   64 0x1bd3f1a5    0x260000  0x240000 Image1
   40   64 0x1bd4f1a5    0x270000  0x250000 Image1
   41   64 0x1bd5f1a5    0x280000  0x260000 Image1
   42   64 0x1bd6f1a5    0x290000  0x270000 Image1
   43   64 0x1bd7f1a5    0x2a0000  0x280000 Image1
   44   64 0x1bd8f1a5    0x2b0000  0x290000 Image1
   45   64 0x1bd9f1a5    0x2c0000  0x2a0000 Image1
   46   64 0x1bdaf1a5    0x2d0000  0x2b0000 Image1
   47   64 0x1bdbf1a5    0x2e0000  0x2c0000 Image1
   48   64 0x1bdcf1a5    0x2f0000  0x2d0000 Image1
   49   64 0x1bddf1a5    0x300000  0x2e0000 Image1
   50   64 0x1bdef1a5    0x310000  0x2f0000 Image1
   51   64 0x1bdff1a5    0x320000  0x300000 Image1
   52   64 0x1be0f1a5    0x330000  0x310000 Image1
   53   64 0x1be1f1a5    0x340000  0x320000 Image1
   54   64 0x1be2f1a5    0x350000  0x330000 Image1
   55   64 0x1be3f1a5    0x360000  0x340000 Image1
   56   64 0x1be4f1a5    0x370000  0x350000 Image1
   57   64 0x1be5f1a5    0x380000  0x360000 Image1
   58   64 0x1be6f1a5    0x390000  0x370000 Image1
   59   64 0x1be7f1a5    0x3a0000  0x380000 Image1
   60   64 0x1be8f1a5    0x3b0000  0x390000 Image1
   61   64 0x1be9f1a5    0x3c0000  0x3a0000 Image1
   62   64 0x1beaf1a5    0x3d0000  0x3b0000 Image1
   63   64 0x1bebf1a5    0x3e0000  0x3c0000 Image1
   64   64 0x1becf1a5    0x3f0000  0x3d0000 Image1
   65   64 0x1bedf1a5    0x400000  0x3e0000 Image1
   66   64 0x1beef1a5    0x410000  0x3f0000 Image1
   67   64 0x1beff1a5    0x420000  0x400000 Image1
   68   64 0x1bf0f1a5    0x430000  0x410000 Image1
   69   64 0x1bf1f1a5    0x440000  0x420000 Image1
   70   64 0x1bf2f1a5    0x450000  0x430000 Image1
   71   64 0x1bf3f1a5    0x460000  0x440000 Image1
   72   64 0x1bf4f1a5    0x470000  0x450000 Image1
   73   64 0x1bf5f1a5    0x480000  0x460000 Image1
   74   64 0x1bf6f1a5    0x490000  0x470000 Image1
   75   64 0x1bf7f1a5    0x4a0000  0x480000 Image1
   76   64 0x1bf8f1a5    0x4b0000  0x490000 Image1
   77   64 0x1bf9f1a5    0x4c0000  0x4a0000 Image1
   78   64 0x1bfaf1a5    0x4d0000  0x4b0000 Image1
   79   64 0x1bfbf1a5    0x4e0000  0x4c0000 Image1
   80   64 0x1bfcf1a5    0x4f0000  0x4d0000 Image1
   81   64 0x1bfdf1a5    0x500000  0x4e0000 Image1
   82   64 0x1bfef1a5    0x510000  0x4f0000 Image1
   83   64 0x1bfff1a5    0x520000  0x500000 Image1
   84   64 0x1c00f1a5    0x530000  0x510000 Image1
   85   64 0x1c01f1a5    0x540000  0x520000 Image1
   86   64 0x1c02f1a5    0x550000  0x530000 Image1
   87   64 0x1c03f1a5    0x560000  0x540000 Image1
   88   64 0x1c04f1a5    0x570000  0x550000 Image1
   89   64 0x1c05f1a5    0x580000  0x560000 Image1
   90   64 0x1c06f1a5    0x590000  0x570000 Image1
   91   64 0x1c07f1a5    0x5a0000  0x580000 Image1
   92   64 0x1c08f1a5    0x5b0000  0x590000 Image1
   93   64 0x1c09f1a5    0x5c0000  0x5a0000 Image1
   94   64 0x1c0af1a5    0x5d0000  0x5b0000 Image1
   95   64 0x1c0bf1a5    0x5e0000  0x5c0000 Image1
   96   64 0x1c0cf1a5    0x5f0000  0x5d0000 Image1
   97   64 0x1c0df1a5    0x600000  0x5e0000 Image1
   98   64 0x1c0ef1a5    0x610000  0x5f0000 Image1
   99   64 0x1c0ff1a5    0x620000  0x600000 Image1
  100   64 0x1c10f1a5    0x630000  0x610000 Image1
  101   64 0x1c11f1a5    0x640000  0x620000 Image1
  102   64 0x1c12f1a5    0x650000  0x630000 Image1
  103   64 0x1c13f1a5    0x660000  0x640000 Image1
  104   64 0x1c14f1a5    0x670000  0x650000 Image1
  105   64 0x1c15f1a5    0x680000  0x660000 Image1
  106   64 0x1c16f1a5    0x690000  0x670000 Image1
  107   64 0x1c17f1a5    0x6a0000  0x680000 Image1
  108   64 0x1c18f1a5    0x6b0000  0x690000 Image1
  109   64 0x1c19f1a5    0x6c0000  0x6a0000 Image1
  110   64 0x1c1af1a5    0x6d0000  0x6b0000 Image1
  111   64 0x1c1bf1a5    0x6e0000  0x6c0000 Image1
  112   64 0x1c1cf1a5    0x6f0000  0x6d0000 Image1
  113   64 0x1c1df1a5    0x700000  0x6e0000 Image1
  114   64 0x1c1ef1a5    0x710000  0x6f0000 Image1
  115   64 0x1c1ff1a5    0x720000  0x700000 Image1
  116   64 0x1c20f1a5    0x730000  0x710000 Image1
  117   64 0x1c21f1a5    0x740000  0x720000 Image1
  118   64 0x1c22f1a5    0x750000  0x730000 Image1
  119   64 0x1c23f1a5    0x760000  0x740000 Image1
  120   64 0x1c24f1a5    0x770000  0x750000 Image1
  121   64 0x1c25f1a5    0x780000  0x760000 Image1
  122   64 0x1c26f1a5    0x790000  0x770000 Image1
  123   64 0x1c27f1a5    0x7a0000  0x780000 Image1
  124   64 0x1c28f1a5    0x7b0000  0x790000 Image1
  125   64 0x1c29f1a5    0x7c0000  0x7a0000 Image1
  126   64 0x1c2af1a5    0x7d0000  0x7b0000 Image1
  127   64 0x1c2bf1a5    0x7e0000  0x7c0000 Image1
  128   64 0x1c2cf1a5    0x7f0000  0x7d0000 Image1
  129   64 0x1c2df1a5    0x800000  0x7e0000 Image1
  130   64 0x1c2ef1a5    0x810000  0x7f0000 Image1
  131   64 0x1c2ff1a5    0x820000  0x800000 Image1
  132   64 0x1c30f1a5    0x830000  0x810000 Image1
  133   64 0x1c31f1a5    0x840000  0x820000 Image1
  134   64 0x1c32f1a5    0x850000  0x830000 Image1
  135   64 0x1c33f1a5    0x860000  0x840000 Image1
  136   64 0x1c34f1a5    0x870000  0x850000 Image1
  137   64 0x1c35f1a5    0x880000  0x860000 Image1
  138   64 0x1c36f1a5    0x890000  0x870000 Image1
  139   64 0x1c37f1a5    0x8a0000  0x880000 Image1
  140   64 0x1c38f1a5    0x8b0000  0x890000 Image1
  141   64 0x1c39f1a5    0x8c0000  0x8a0000 Image1
  142   64 0x1c3af1a5    0x8d0000  0x8b0000 Image1
  143   64 0x1c3bf1a5    0x8e0000  0x8c0000 Image1
  144   64 0x1c3cf1a5    0x8f0000  0x8d0000 Image1
  145   64 0x1c3df1a5    0x900000  0x8e0000 Image1
  146   64 0x1c3ef1a5    0x910000  0x8f0000 Image1
  147   64 0x1c3ff1a5    0x920000  0x900000 Image1
  148   64 0x1c40f1a5    0x930000  0x910000 Image1
  149   64 0x1c41f1a5    0x940000  0x920000 Image1
  150   64 0x1c42f1a5    0x950000  0x930000 Image1
  151   64 0x1c43f1a5    0x960000  0x940000 Image1
  152   64 0x1c44f1a5    0x970000  0x950000 Image1
  153   64 0x1c45f1a5    0x980000  0x960000 Image1
  154   64 0x1c46f1a5    0x990000  0x970000 Image1
  155   64 0x1c47f1a5    0x9a0000  0x980000 Image1
  156   64 0x1c48f1a5    0x9b0000  0x990000 Image1
  157   64 0x1c49f1a5    0x9c0000  0x9a0000 Image1
  158   64 0x1c4af1a5    0x9d0000  0x9b0000 Image1
  159   64 0x1c4bf1a5    0x9e0000  0x9c0000 Image1
  160   64 0x1c4cf1a5    0x9f0000  0x9d0000 Image1
  161   64 0x1c4df1a5    0xa00000  0x9e0000 Image1
  162   64 0x1c4ef1a5    0xa10000  0x9f0000 Image1
  163   64 0x1c4ff1a5    0xa20000  0xa00000 Image1
  164   64 0x1c50f1a5    0xa30000  0xa10000 Image1
  165   64 0x1c51f1a5    0xa40000  0xa20000 Image1
  166   64 0x1c52f1a5    0xa50000  0xa30000 Image1
  167   64 0x1c53f1a5    0xa60000  0xa40000 Image1
  168   64 0x1c54f1a5    0xa70000  0xa50000 Image1
  169   64 0x1c55f1a5    0xa80000  0xa60000 Image1
  170   64 0x1c56f1a5    0xa90000  0xa70000 Image1
  171   64 0x1c57f1a5    0xaa0000  0xa80000 Image1
  172   64 0x1c58f1a5    0xab0000  0xa90000 Image1
  173   64 0x1c59f1a5    0xac0000  0xaa0000 Image1
  174   64 0x1c5af1a5    0xad0000  0xab0000 Image1
  175   64 0x1c5bf1a5    0xae0000  0xac0000 Image1
  176   64 0x1c5cf1a5    0xaf0000  0xad0000 Image1
  177   64 0x1c5df1a5    0xb00000  0xae0000 Image1
  178   64 0x1c5ef1a5    0xb10000  0xaf0000 Image1
  179   64 0x1c5ff1a5    0xb20000  0xb00000 Image1
  180   64 0x1c60f1a5    0xb30000  0xb10000 Image1
  181   64 0x1c61f1a5    0xb40000  0xb20000 Image1
  182   64 0x1c62f1a5    0xb50000  0xb30000 Image1
  183   64 0x1c63f1a5    0xb60000  0xb40000 Image1
  184   64 0x1c64f1a5    0xb70000  0xb50000 Image1
  185   64 0x1c65f1a5    0xb80000  0xb60000 Image1
  186   64 0x1c66f1a5    0xb90000  0xb70000 Image1
  187   64 0x1c67f1a5    0xba0000  0xb80000 Image1
  188   64 0x1c68f1a5    0xbb0000  0xb90000 Image1
  189   64 0x1c69f1a5    0xbc0000  0xba0000 Image1
  190   64 0x1c6af1a5    0xbd0000  0xbb0000 Image1
  191   64 0x1c6bf1a5    0xbe0000  0xbc0000 Image1
  192   64 0x1c6cf1a5    0xbf0000  0xbd0000 Image1
  193   64 0x1c6df1a5    0xc00000  0xbe0000 Image1
  194   64 0x1c6ef1a5    0xc10000  0xbf0000 Image1
  195   64 0x1c6ff1a5    0xc20000  0xc00000 Image1
  196   64 0x1c70f1a5    0xc30000  0xc10000 Image1
  197   64 0x1c71f1a5    0xc40000  0xc20000 Image1
  198   64 0x1c72f1a5    0xc50000  0xc30000 Image1
  199   64 0x1c73f1a5    0xc60000  0xc40000 Image1
  200   64 0x1c74f1a5    0xc70000  0xc50000 Image1
  201   64 0x1c75f1a5    0xc80000  0xc60000 Image1
  202   64 0x1c76f1a5    0xc90000  0xc70000 Image1
  203   64 0x1c77f1a5    0xca0000  0xc80000 Image1
  204   64 0x1c78f1a5    0xcb0000  0xc90000 Image1
  205   64 0x1c79f1a5    0xcc0000  0xca0000 Image1
  206   64 0x1c7af1a5    0xcd0000  0xcb0000 Image1
  207   64 0x1c7bf1a5    0xce0000  0xcc0000 Image1
  208   64 0x1c7cf1a5    0xcf0000  0xcd0000 Image1
  209   64 0x1c7df1a5    0xd00000  0xce0000 Image1
  210   64 0x1c7ef1a5    0xd10000  0xcf0000 Image1
  211   64 0x1c7ff1a5    0xd20000  0xd00000 Image1
  212   64 0x1c80f1a5    0xd30000  0xd10000 Image1
  213   64 0x1c81f1a5    0xd40000  0xd20000 Image1
  214   64 0x1c82f1a5    0xd50000  0xd30000 Image1
  215   64 0x1c83f1a5    0xd60000  0xd40000 Image1
  216   64 0x1c84f1a5    0xd70000  0xd50000 Image1
  217   64 0x1c85f1a5    0xd80000  0xd60000 Image1
  218   64 0x1c86f1a5    0xd90000  0xd70000 Image1
  219   64 0x1c87f1a5    0xda0000  0xd80000 Image1
  220   64 0x1c88f1a5    0xdb0000  0xd90000 Image1
  221   64 0x1c89f1a5    0xdc0000  0xda0000 Image1
  222   64 0x1c8af1a5    0xdd0000  0xdb0000 Image1
  223   64 0x1c8bf1a5    0xde0000  0xdc0000 Image1
  224   64 0x1c8cf1a5    0xdf0000  0xdd0000 Image1
  225   64 0x1c8df1a5    0xe00000  0xde0000 Image1
  226   64 0x1c8ef1a5    0xe10000  0xdf0000 Image1
  227   64 0x1c8ff1a5    0xe20000  0xe00000 Image1
  228   64 0x1c90f1a5    0xe30000  0xe10000 Image1
  229   64 0x1c91f1a5    0xe40000  0xe20000 Image1
  230   64 0x1c92f1a5    0xe50000  0xe30000 Image1
  231   64 0x1c93f1a5    0xe60000  0xe40000 Image1
  232   64 0x1c94f1a5    0xe70000  0xe50000 Image1
  233   64 0x1c95f1a5    0xe80000  0xe60000 Image1
  234   64 0x1c96f1a5    0xe90000  0xe70000 Image1
  235   64 0x1c97f1a5    0xea0000  0xe80000 Image1
  236   64 0x1c98f1a5    0xeb0000  0xe90000 Image1
  237   64 0x1c99f1a5    0xec0000  0xea0000 Image1
  238   64 0x1c9af1a5    0xed0000  0xeb0000 Image1
  239   64 0x1c9bf1a5    0xee0000  0xec0000 Image1
  240   64 0x1c9cf1a5    0xef0000  0xed0000 Image1
  241   64 0x1c9df1a5    0xf00000  0xee0000 Image1
  242   64 0x1c9ef1a5    0xf10000  0xef0000 Image1
  243   64 0x1c9ff1a5    0xf20000  0xf00000 Image1
  244   64 0x1ca0f1a5    0xf30000  0xf10000 Image1
  245   64 0x1ca1f1a5    0xf40000  0xf20000 Image1
  246   64 0x1ca2f1a5    0xf50000  0xf30000 Image1
  247   64 0x1ca3f1a5    0xf60000  0xf40000 Image1
  248   64 0x1ca4f1a5    0xf70000  0xf50000 Image1
  249   64 0x1ca5f1a5    0xf80000  0xf60000 Image1
  250   64 0x1ca6f1a5    0xf90000  0xf70000 Image1
  251   64 0x1ca7f1a5    0xfa0000  0xf80000 Image1
  252   64 0x1ca8f1a5    0xfb0000  0xf90000 Image1
  253   64 0x1ca9f1a5    0xfc0000  0xfa0000 Image1
  254   64 0x1caaf1a5    0xfd0000  0xfb0000 Image1
  255   64 0x1cabf1a5    0xfe0000  0xfc0000 Image1
  256   64 0x1cacf1a5    0xff0000  0xfd0000 Image1 (16646144 bytes)
  257   64 0x1cadf1a5   0x1000000         0 Image2
  258   64 0x1caef1a5   0x1010000   0x10000 Image2
  259   64 0x1caff1a5   0x1020000   0x20000 Image2
  260   64 0x1cb0f1a5   0x1030000   0x30000 Image2
  261   64 0x1cb1f1a5   0x1040000   0x40000 Image2
  262   64 0x1cb2f1a5   0x1050000   0x50000 Image2
  263   64 0x1cb3f1a5   0x1060000   0x60000 Image2
  264   64 0x1cb4f1a5   0x1070000   0x70000 Image2
  265   64 0x1cb5f1a5   0x1080000   0x80000 Image2
  266   64 0x1cb6f1a5   0x1090000   0x90000 Image2
  267   64 0x1cb7f1a5   0x10a0000   0xa0000 Image2
  268   64 0x1cb8f1a5   0x10b0000   0xb0000 Image2
  269   64 0x1cb9f1a5   0x10c0000   0xc0000 Image2
  270   64 0x1cbaf1a5   0x10d0000   0xd0000 Image2
  271   64 0x1cbbf1a5   0x10e0000   0xe0000 Image2
  272   64 0x1cbcf1a5   0x10f0000   0xf0000 Image2
  273   64 0x1cbdf1a5   0x1100000  0x100000 Image2
  274   64 0x1cbef1a5   0x1110000  0x110000 Image2
  275   64 0x1cbff1a5   0x1120000  0x120000 Image2
  276   64 0x1cc0f1a5   0x1130000  0x130000 Image2
  277   64 0x1cc1f1a5   0x1140000  0x140000 Image2
  278   64 0x1cc2f1a5   0x1150000  0x150000 Image2
  279   64 0x1cc3f1a5   0x1160000  0x160000 Image2
  280   64 0x1cc4f1a5   0x1170000  0x170000 Image2
  281   64 0x1cc5f1a5   0x1180000  0x180000 Image2
  282   64 0x1cc6f1a5   0x1190000  0x190000 Image2
  283   64 0x1cc7f1a5   0x11a0000  0x1a0000 Image2
  284   64 0x1cc8f1a5   0x11b0000  0x1b0000 Image2
  285   64 0x1cc9f1a5   0x11c0000  0x1c0000 Image2
  286   64 0x1ccaf1a5   0x11d0000  0x1d0000 Image2
  287   64 0x1ccbf1a5   0x11e0000  0x1e0000 Image2
  288   64 0x1cccf1a5   0x11f0000  0x1f0000 Image2
  289   64 0x1ccdf1a5   0x1200000  0x200000 Image2
  290   64 0x1ccef1a5   0x1210000  0x210000 Image2
  291   64 0x1ccff1a5   0x1220000  0x220000 Image2
  292   64 0x1cd0f1a5   0x1230000  0x230000 Image2
  293   64 0x1cd1f1a5   0x1240000  0x240000 Image2
  294   64 0x1cd2f1a5   0x1250000  0x250000 Image2
  295   64 0x1cd3f1a5   0x1260000  0x260000 Image2
  296   64 0x1cd4f1a5   0x1270000  0x270000 Image2
  297   64 0x1cd5f1a5   0x1280000  0x280000 Image2
  298   64 0x1cd6f1a5   0x1290000  0x290000 Image2
  299   64 0x1cd7f1a5   0x12a0000  0x2a0000 Image2
  300   64 0x1cd8f1a5   0x12b0000  0x2b0000 Image2
  301   64 0x1cd9f1a5   0x12c0000  0x2c0000 Image2
  302   64 0x1cdaf1a5   0x12d0000  0x2d0000 Image2
  303   64 0x1cdbf1a5   0x12e0000  0x2e0000 Image2
  304   64 0x1cdcf1a5   0x12f0000  0x2f0000 Image2
  305   64 0x1cddf1a5   0x1300000  0x300000 Image2
  306   64 0x1cdef1a5   0x1310000  0x310000 Image2
  307   64 0x1cdff1a5   0x1320000  0x320000 Image2
  308   64 0x1ce0f1a5   0x1330000  0x330000 Image2
  309   64 0x1ce1f1a5   0x1340000  0x340000 Image2
  310   64 0x1ce2f1a5   0x1350000  0x350000 Image2
  311   64 0x1ce3f1a5   0x1360000  0x360000 Image2
  312   64 0x1ce4f1a5   0x1370000  0x370000 Image2
  313   64 0x1ce5f1a5   0x1380000  0x380000 Image2
  314   64 0x1ce6f1a5   0x1390000  0x390000 Image2
  315   64 0x1ce7f1a5   0x13a0000  0x3a0000 Image2
  316   64 0x1ce8f1a5   0x13b0000  0x3b0000 Image2
  317   64 0x1ce9f1a5   0x13c0000  0x3c0000 Image2
  318   64 0x1ceaf1a5   0x13d0000  0x3d0000 Image2
  319   64 0x1cebf1a5   0x13e0000  0x3e0000 Image2
  320   64 0x1cecf1a5   0x13f0000  0x3f0000 Image2
  321   64 0x1cedf1a5   0x1400000  0x400000 Image2
  322   64 0x1ceef1a5   0x1410000  0x410000 Image2
  323   64 0x1ceff1a5   0x1420000  0x420000 Image2
  324   64 0x1cf0f1a5   0x1430000  0x430000 Image2
  325   64 0x1cf1f1a5   0x1440000  0x440000 Image2
  326   64 0x1cf2f1a5   0x1450000  0x450000 Image2
  327   64 0x1cf3f1a5   0x1460000  0x460000 Image2
  328   64 0x1cf4f1a5   0x1470000  0x470000 Image2
  329   64 0x1cf5f1a5   0x1480000  0x480000 Image2
  330   64 0x1cf6f1a5   0x1490000  0x490000 Image2
  331   64 0x1cf7f1a5   0x14a0000  0x4a0000 Image2
  332   64 0x1cf8f1a5   0x14b0000  0x4b0000 Image2
  333   64 0x1cf9f1a5   0x14c0000  0x4c0000 Image2
  334   64 0x1cfaf1a5   0x14d0000  0x4d0000 Image2
  335   64 0x1cfbf1a5   0x14e0000  0x4e0000 Image2
  336   64 0x1cfcf1a5   0x14f0000  0x4f0000 Image2
  337   64 0x1cfdf1a5   0x1500000  0x500000 Image2
  338   64 0x1cfef1a5   0x1510000  0x510000 Image2
  339   64 0x1cfff1a5   0x1520000  0x520000 Image2
  340   64 0x1d00f1a5   0x1530000  0x530000 Image2
  341   64 0x1d01f1a5   0x1540000  0x540000 Image2
  342   64 0x1d02f1a5   0x1550000  0x550000 Image2
  343   64 0x1d03f1a5   0x1560000  0x560000 Image2
  344   64 0x1d04f1a5   0x1570000  0x570000 Image2
  345   64 0x1d05f1a5   0x1580000  0x580000 Image2
  346   64 0x1d06f1a5   0x1590000  0x590000 Image2
  347   64 0x1d07f1a5   0x15a0000  0x5a0000 Image2
  348   64 0x1d08f1a5   0x15b0000  0x5b0000 Image2
  349   64 0x1d09f1a5   0x15c0000  0x5c0000 Image2
  350   64 0x1d0af1a5   0x15d0000  0x5d0000 Image2
  351   64 0x1d0bf1a5   0x15e0000  0x5e0000 Image2
  352   64 0x1d0cf1a5   0x15f0000  0x5f0000 Image2
  353   64 0x1d0df1a5   0x1600000  0x600000 Image2
  354   64 0x1d0ef1a5   0x1610000  0x610000 Image2
  355   64 0x1d0ff1a5   0x1620000  0x620000 Image2
  356   64 0x1d10f1a5   0x1630000  0x630000 Image2
  357   64 0x1d11f1a5   0x1640000  0x640000 Image2
  358   64 0x1d12f1a5   0x1650000  0x650000 Image2
  359   64 0x1d13f1a5   0x1660000  0x660000 Image2
  360   64 0x1d14f1a5   0x1670000  0x670000 Image2
  361   64 0x1d15f1a5   0x1680000  0x680000 Image2
  362   64 0x1d16f1a5   0x1690000  0x690000 Image2
  363   64 0x1d17f1a5   0x16a0000  0x6a0000 Image2
  364   64 0x1d18f1a5   0x16b0000  0x6b0000 Image2
  365   64 0x1d19f1a5   0x16c0000  0x6c0000 Image2
  366   64 0x1d1af1a5   0x16d0000  0x6d0000 Image2
  367   64 0x1d1bf1a5   0x16e0000  0x6e0000 Image2
  368   64 0x1d1cf1a5   0x16f0000  0x6f0000 Image2
  369   64 0x1d1df1a5   0x1700000  0x700000 Image2
  370   64 0x1d1ef1a5   0x1710000  0x710000 Image2
  371   64 0x1d1ff1a5   0x1720000  0x720000 Image2
  372   64 0x1d20f1a5   0x1730000  0x730000 Image2
  373   64 0x1d21f1a5   0x1740000  0x740000 Image2
  374   64 0x1d22f1a5   0x1750000  0x750000 Image2
  375   64 0x1d23f1a5   0x1760000  0x760000 Image2
  376   64 0x1d24f1a5   0x1770000  0x770000 Image2
  377   64 0x1d25f1a5   0x1780000  0x780000 Image2
  378   64 0x1d26f1a5   0x1790000  0x790000 Image2
  379   64 0x1d27f1a5   0x17a0000  0x7a0000 Image2
  380   64 0x1d28f1a5   0x17b0000  0x7b0000 Image2
  381   64 0x1d29f1a5   0x17c0000  0x7c0000 Image2
  382   64 0x1d2af1a5   0x17d0000  0x7d0000 Image2
  383   64 0x1d2bf1a5   0x17e0000  0x7e0000 Image2
  384   64 0x1d2cf1a5   0x17f0000  0x7f0000 Image2
  385   64 0x1d2df1a5   0x1800000  0x800000 Image2
  386   64 0x1d2ef1a5   0x1810000  0x810000 Image2
  387   64 0x1d2ff1a5   0x1820000  0x820000 Image2
  388   64 0x1d30f1a5   0x1830000  0x830000 Image2
  389   64 0x1d31f1a5   0x1840000  0x840000 Image2
  390   64 0x1d32f1a5   0x1850000  0x850000 Image2
  391   64 0x1d33f1a5   0x1860000  0x860000 Image2
  392   64 0x1d34f1a5   0x1870000  0x870000 Image2
  393   64 0x1d35f1a5   0x1880000  0x880000 Image2
  394   64 0x1d36f1a5   0x1890000  0x890000 Image2
  395   64 0x1d37f1a5   0x18a0000  0x8a0000 Image2
  396   64 0x1d38f1a5   0x18b0000  0x8b0000 Image2
  397   64 0x1d39f1a5   0x18c0000  0x8c0000 Image2
  398   64 0x1d3af1a5   0x18d0000  0x8d0000 Image2
  399   64 0x1d3bf1a5   0x18e0000  0x8e0000 Image2
  400   64 0x1d3cf1a5   0x18f0000  0x8f0000 Image2
  401   64 0x1d3df1a5   0x1900000  0x900000 Image2
  402   64 0x1d3ef1a5   0x1910000  0x910000 Image2
  403   64 0x1d3ff1a5   0x1920000  0x920000 Image2
  404   64 0x1d40f1a5   0x1930000  0x930000 Image2
  405   64 0x1d41f1a5   0x1940000  0x940000 Image2
  406   64 0x1d42f1a5   0x1950000  0x950000 Image2
  407   64 0x1d43f1a5   0x1960000  0x960000 Image2
  408   64 0x1d44f1a5   0x1970000  0x970000 Image2
  409   64 0x1d45f1a5   0x1980000  0x980000 Image2
  410   64 0x1d46f1a5   0x1990000  0x990000 Image2
  411   64 0x1d47f1a5   0x19a0000  0x9a0000 Image2
  412   64 0x1d48f1a5   0x19b0000  0x9b0000 Image2
  413   64 0x1d49f1a5   0x19c0000  0x9c0000 Image2
  414   64 0x1d4af1a5   0x19d0000  0x9d0000 Image2
  415   64 0x1d4bf1a5   0x19e0000  0x9e0000 Image2
  416   64 0x1d4cf1a5   0x19f0000  0x9f0000 Image2
  417   64 0x1d4df1a5   0x1a00000  0xa00000 Image2
  418   64 0x1d4ef1a5   0x1a10000  0xa10000 Image2
  419   64 0x1d4ff1a5   0x1a20000  0xa20000 Image2
  420   64 0x1d50f1a5   0x1a30000  0xa30000 Image2
  421   64 0x1d51f1a5   0x1a40000  0xa40000 Image2
  422   64 0x1d52f1a5   0x1a50000  0xa50000 Image2
  423   64 0x1d53f1a5   0x1a60000  0xa60000 Image2
  424   64 0x1d54f1a5   0x1a70000  0xa70000 Image2
  425   64 0x1d55f1a5   0x1a80000  0xa80000 Image2
  426   64 0x1d56f1a5   0x1a90000  0xa90000 Image2
  427   64 0x1d57f1a5   0x1aa0000  0xaa0000 Image2
  428   64 0x1d58f1a5   0x1ab0000  0xab0000 Image2
  429   64 0x1d59f1a5   0x1ac0000  0xac0000 Image2
  430   64 0x1d5af1a5   0x1ad0000  0xad0000 Image2
  431   64 0x1d5bf1a5   0x1ae0000  0xae0000 Image2
  432   64 0x1d5cf1a5   0x1af0000  0xaf0000 Image2
  433   64 0x1d5df1a5   0x1b00000  0xb00000 Image2
  434   64 0x1d5ef1a5   0x1b10000  0xb10000 Image2
  435   64 0x1d5ff1a5   0x1b20000  0xb20000 Image2
  436   64 0x1d60f1a5   0x1b30000  0xb30000 Image2
  437   64 0x1d61f1a5   0x1b40000  0xb40000 Image2
  438   64 0x1d62f1a5   0x1b50000  0xb50000 Image2
  439   64 0x1d63f1a5   0x1b60000  0xb60000 Image2
  440   64 0x1d64f1a5   0x1b70000  0xb70000 Image2
  441   64 0x1d65f1a5   0x1b80000  0xb80000 Image2
  442   64 0x1d66f1a5   0x1b90000  0xb90000 Image2
  443   64 0x1d67f1a5   0x1ba0000  0xba0000 Image2
  444   64 0x1d68f1a5   0x1bb0000  0xbb0000 Image2
  445   64 0x1d69f1a5   0x1bc0000  0xbc0000 Image2
  446   64 0x1d6af1a5   0x1bd0000  0xbd0000 Image2
  447   64 0x1d6bf1a5   0x1be0000  0xbe0000 Image2
  448   64 0x1d6cf1a5   0x1bf0000  0xbf0000 Image2
  449   64 0x1d6df1a5   0x1c00000  0xc00000 Image2
  450   64 0x1d6ef1a5   0x1c10000  0xc10000 Image2
  451   64 0x1d6ff1a5   0x1c20000  0xc20000 Image2
  452   64 0x1d70f1a5   0x1c30000  0xc30000 Image2
  453   64 0x1d71f1a5   0x1c40000  0xc40000 Image2
  454   64 0x1d72f1a5   0x1c50000  0xc50000 Image2
  455   64 0x1d73f1a5   0x1c60000  0xc60000 Image2
  456   64 0x1d74f1a5   0x1c70000  0xc70000 Image2
  457   64 0x1d75f1a5   0x1c80000  0xc80000 Image2
  458   64 0x1d76f1a5   0x1c90000  0xc90000 Image2
  459   64 0x1d77f1a5   0x1ca0000  0xca0000 Image2
  460   64 0x1d78f1a5   0x1cb0000  0xcb0000 Image2
  461   64 0x1d79f1a5   0x1cc0000  0xcc0000 Image2
  462   64 0x1d7af1a5   0x1cd0000  0xcd0000 Image2
  463   64 0x1d7bf1a5   0x1ce0000  0xce0000 Image2
  464   64 0x1d7cf1a5   0x1cf0000  0xcf0000 Image2
  465   64 0x1d7df1a5   0x1d00000  0xd00000 Image2
  466   64 0x1d7ef1a5   0x1d10000  0xd10000 Image2
  467   64 0x1d7ff1a5   0x1d20000  0xd20000 Image2
  468   64 0x1d80f1a5   0x1d30000  0xd30000 Image2
  469   64 0x1d81f1a5   0x1d40000  0xd40000 Image2
  470   64 0x1d82f1a5   0x1d50000  0xd50000 Image2
  471   64 0x1d83f1a5   0x1d60000  0xd60000 Image2
  472   64 0x1d84f1a5   0x1d70000  0xd70000 Image2
  473   64 0x1d85f1a5   0x1d80000  0xd80000 Image2
  474   64 0x1d86f1a5   0x1d90000  0xd90000 Image2
  475   64 0x1d87f1a5   0x1da0000  0xda0000 Image2
  476   64 0x1d88f1a5   0x1db0000  0xdb0000 Image2
  477   64 0x1d89f1a5   0x1dc0000  0xdc0000 Image2
  478   64 0x1d8af1a5   0x1dd0000  0xdd0000 Image2
  479   64 0x1d8bf1a5   0x1de0000  0xde0000 Image2
  480   64 0x1d8cf1a5   0x1df0000  0xdf0000 Image2
  481   64 0x1d8df1a5   0x1e00000  0xe00000 Image2
  482   64 0x1d8ef1a5   0x1e10000  0xe10000 Image2
  483   64 0x1d8ff1a5   0x1e20000  0xe20000 Image2
  484   64 0x1d90f1a5   0x1e30000  0xe30000 Image2
  485   64 0x1d91f1a5   0x1e40000  0xe40000 Image2
  486   64 0x1d92f1a5   0x1e50000  0xe50000 Image2
  487   64 0x1d93f1a5   0x1e60000  0xe60000 Image2
  488   64 0x1d94f1a5   0x1e70000  0xe70000 Image2
  489   64 0x1d95f1a5   0x1e80000  0xe80000 Image2
  490   64 0x1d96f1a5   0x1e90000  0xe90000 Image2
  491   64 0x1d97f1a5   0x1ea0000  0xea0000 Image2
  492   64 0x1d98f1a5   0x1eb0000  0xeb0000 Image2
  493   64 0x1d99f1a5   0x1ec0000  0xec0000 Image2
  494   64 0x1d9af1a5   0x1ed0000  0xed0000 Image2
  495   64 0x1d9bf1a5   0x1ee0000  0xee0000 Image2
  496   64 0x1d9cf1a5   0x1ef0000  0xef0000 Image2
  497   64 0x1d9df1a5   0x1f00000  0xf00000 Image2
  498   64 0x1d9ef1a5   0x1f10000  0xf10000 Image2
  499   64 0x1d9ff1a5   0x1f20000  0xf20000 Image2
  500   64 0x1da0f1a5   0x1f30000  0xf30000 Image2
  501   64 0x1da1f1a5   0x1f40000  0xf40000 Image2
  502   64 0x1da2f1a5   0x1f50000  0xf50000 Image2
  503   64 0x1da3f1a5   0x1f60000  0xf60000 Image2
  504   64 0x1da4f1a5   0x1f70000  0xf70000 Image2
  505   64 0x1da5f1a5   0x1f80000  0xf80000 Image2
  506   64 0x1da6f1a5   0x1f90000  0xf90000 Image2
  507   64 0x1da7f1a5   0x1fa0000  0xfa0000 Image2
  508   64 0x1da8f1a5   0x1fb0000  0xfb0000 Image2
  509   64 0x1da9f1a5   0x1fc0000  0xfc0000 Image2
  510   64 0x1daaf1a5   0x1fd0000  0xfd0000 Image2
  511   64 0x1dabf1a5   0x1fe0000  0xfe0000 Image2 (16711680 bytes)
  512   64 0x1dacf1a5   0x1ff0000         0 Dynamic NonVol (65536 bytes)

show version

                          *
                         * *
                         * *
                        *   *
                        *   *
                       *     *
                       *     *
                       *     *
                      *       *
                      *       *
                      *       *
                     *         *
                     *         *
                     *         *
                     *         *
                    *           *
          *         *           *         *
        *   *       *           *       *   *          ***
*     *      *     *             *     *      *     *       *******************
   *          *   *               *   *          *
                *                   *

Broadcom Corporation Reference Design

 +----------------------------------------------------------------------------+
 |       _/_/     _/_/_/_/    _/_/                                            |
 |      _/  _/   _/        _/    _/   Broadband                               |
 |     _/  _/   _/        _/                                                  |
 |    _/_/     _/_/_/    _/           Foundation                              |
 |   _/  _/   _/        _/                                                    |
 |  _/   _/  _/        _/    _/       Classes                                 |
 | _/_/_/   _/          _/_/                                                  |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  5.4.5                                                           |
 |                                                                            |
 | Features:  CBW-383ZN Console TelnetConsole Nonvol Fat HeapManager SNMP     |
 | Features:  Networking IPv6 (script CBW-383ZN) Switch53124 TR69             |
 +----------------------------------------------------------------------------+
 | Standard Embedded Target Support for BFC                                   |
 |                                                                            |
 | Copyright (c) 2003-2014 Broadcom Corporation                               |
 |                                                                            |
 | Revision:  3.0.1                                                           |
 |                                                                            |
 | Features:  PID=0x8364 BID=0x0 Bootloader-Rev=2.4.0                         |
 | Features:  Bootloader-Compression-Support=0x11 MANUFACT_BITS=0xb           |
 | Features:  Bcm80211=Build Aug  9 2017 15:14:51                             |
 | Features:  App Ver 6.37.14.87.5510.181.8                                   |
 | Features:  Wl Ver 6.37.14.87.5510.181.8                                    |
 +----------------------------------------------------------------------------+
 | eCos BFC Application Layer                                                 |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  3.0.2                                                           |
 |                                                                            |
 | Features:  eCos Console Cmds, (no Idle Loop Profiler)                      |
 +----------------------------------------------------------------------------+
 |         _/_/    _/     _/                                                  |
 |      _/    _/  _/_/ _/_/   DOCSIS Cable Modem                              |
 |     _/        _/  _/ _/                                                    |
 |    _/        _/     _/                                                     |
 |   _/        _/     _/                                                      |
 |  _/    _/  _/     _/                                                       |
 |   _/_/    _/     _/                                                        |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  5.4.5                                                           |
 |                                                                            |
 | Features:  AckCel(tm) DOCSIS 1.0/1.1/2.0/3.0 Propane(tm) CM SNMP w/Factory |
 | Features:  MIB Support CM Vendor Extension eDOCSIS SLED D3.0 Drop          |
 | Features:  Classifiers FAP NA Production                                   |
 +----------------------------------------------------------------------------+
 | Broadcom Data-Only CM Vendor Extension                                     |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  3.0.2                                                           |
 |                                                                            |
 | Features:  DHCP Server  HTTP Server  OSS2-N-03025 Visualization LED        |
 | Features:  Controller  Reset/Standby Switch Support                        |
 +----------------------------------------------------------------------------+
 |                 _/_/_/                                                     |
 |        _/_/    _/    _/    eRouter Dual Stack                              |
 |     _/    _/  _/    _/                                                     |
 |    _/_/_/_/  _/_/_/                                                        |
 |   _/        _/ _/                                                          |
 |  _/        _/   _/                                                         |
 |   _/_/_/  _/     _/                                                        |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  5.4.5                                                           |
 |                                                                            |
 | Features:  eRouter SNMP Customer Extension NATP DS-Lite HomeHotspot        |
 +----------------------------------------------------------------------------+
 | Broadcom eRouter Customer Extension                                        |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  3.0.2                                                           |
 |                                                                            |
 | Features:  ()                                                              |
 +----------------------------------------------------------------------------+
 |       _/     _/ _/_/_/ _/                                                  |
 |      _/_/ _/_/   _/   _/_/  Embedded MTA                                   |
 |     _/  _/ _/   _/   _/ _/                                                 |
 |    _/     _/   _/   _/  _/                                                 |
 |   _/     _/   _/   _/_/__/  CableLabs Certified                            |
 |  _/     _/   _/   _/    _/  PacketCable Certified                          |
 | _/     _/   _/   _/     _/                                                 |
 |                                                                            |
 | Copyright (c) 1999 - 2014 Broadcom Corporation                             |
 |                                                                            |
 | Revision:  3.9.21.16mp5                                                    |
 |                                                                            |
 | Features:  CBW383ZN eCos                                                   |
 | Features:  IPSEC NCS PacketCable-v1.5                                      |
 | Features:  dspApp3383_all_codecs (LDX app)                                 |
 | Features:  Logging: All                                                    |
 | Features:  (MTA LIB DATE: Sep 18 2017 14:44:54)                            |
 | Features:  Build options:                                                  |
 | Features:  locale=tu pktc_ver=15 slim=0 euro=0 sip_dqos=1 sip=0 revline=0  |
 | Features:  dspapp=all_codecs                                               |
 +----------------------------------------------------------------------------+
 | Build Date:  9/18/2017                                                     |
 | Build Time:  6:45:35                                                       |
 | Build By  :  porter                                                        |
 | Image Ver :  CBW-383ZN_0081.545.392116mp5.799.009                          |
 +----------------------------------------------------------------------------+

[jclehner]

For the dump flash commands, did you use the latest commit?

[tosbaha]

Yes I just compiled on macOS again. Still no go.

git pull
Updating 7873f93..2e44735
Fast-forward
 crypto.cc    |  2 --
 profiledef.c | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

bcm2-utils on  master [$]
➜ make
cc -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.2-5-g2e44735\"    -c -o profiledef.o profiledef.c
c++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.2-5-g2e44735\"  -std=c++14 -Wnon-virtual-dtor io.o rwx.o interface.o ps.o bcm2dump.o util.o progress.o mipsasm.o profile.o profiledef.o -o bcm2dump
c++ -c -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.2-5-g2e44735\"  -std=c++14 -Wnon-virtual-dtor crypto.cc -o crypto.o
c++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.2-5-g2e44735\"  -std=c++14 -Wnon-virtual-dtor util.o nonvol2.o bcm2cfg.o nonvoldef.o gwsettings.o profile.o profiledef.o crypto.o -o bcm2cfg
c++ -Wall -Wno-sign-compare -g -DVERSION=\"v0.9.2-5-g2e44735\"  -std=c++14 -Wnon-virtual-dtor util.o nonvol2.o t_nonvol.o profile.o profiledef.o -o t_nonvol

bcm2-utils on  master [$] took 3s
➜ ./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16

read incomplete chunk 0x8070244c: 0/16; retrying
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80dc48c4,15 -> 0x80dc48c4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
profile auto-detection failed
failed to switch to super-user; some functions might not work

error: cannot create non-ram rwx object without a profile

context:
  ==> '/system/diag readmem -s 4 -n 16 0x80f89da0/system/diag readmem -s 4 -n 16 0x80f89da0'
  ==> (empty)
  ==> '80f89da0: 7235676d  00000000  72786761  696e6572 | r5gm....rxgainer'
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
' <== '/system/diag readmem -s 4 -n 16 0x814e8eac
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x814e8eac/system/diag readmem -s 4 -n 16 0x814e8eac'
  ==> (empty)
  ==> '814e8eac: ba63c706  b3ba174b  45908c95  30e26b7b | .c.....KE...0.k{'
' <== '/system/diag readmem -s 4 -n 16 0x814e953c
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x814e953c/system/diag readmem -s 4 -n 16 0x814e953c'
  ==> (empty)
  ==> '814e953c: 6f9f01d9  9f2210ea  294b370f  7c8feac9 | o...."..)K7.|...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== '/system/diag readmem -s 4 -n 16 0x83f8e618
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x83f8e618/system/diag readmem -s 4 -n 16 0x83f8e618'
  ==> (empty)
  ==> '83f8e618: 057d0594  05b7055c  05f505ff  05860642 | .}.....\.......B'
' <== '/system/diag readmem -s 4 -n 16 0x85f00014
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x85f00014/system/diag readmem -s 4 -n 16 0x85f00014'
  ==> (empty)
  ==> '85f00014: 65637261  6d5f7374  6f2e6269  6e000000 | ecram_sto.bin...'
' <== 'su
  ==> (empty)
  ==> 'Console> susu'
  ==> (empty)
  ==> 'Error - what Unknown command:  'su''
  ==> (empty)
  ==> 'Console> '
' <== 'exit

It is like it can't do su or susu for a reason.

[jclehner]

su doesn't exist on your device - there's a way around that, but for that it needs to detect a profile. Please try the latest commit! If it still doesn't work, try this:

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram image,auto image.bin

[tosbaha]

Latest commit did something. It is reporting a download. I will upload the files 5 minutes later

UPDATE:
https://www31.zippyshare.com/v/NBVB4933/file.html
Both the image and the boot loader.

How can I disassemble this image? I really want to learn how you find out the DES and password stuff. I have radare2, IDA etc.

[jclehner]

The images are in Broadcom's ProgramStore format - a GPL'd tool to extract them exists here. For disassembly, set the arch to big-endian MIPS, create a RAM section, and set the image's load address to 0x80004000. Note that this is just plain machine code, not an executable format like ELF - the code starts at offset 0.

I just noticed that the image appears to be corrupted. Can you try

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' ram image,auto image.bin

[tosbaha]

Here is the new dump.
https://www2.zippyshare.com/v/9AusDCGO/file.html

[jclehner]

Thanks, this looks much better!

I really want to learn how you find out the DES and password stuff.

All these modem firmwares are based on the same Broadcom firmware (called BFC for Broadcom Foundation Classes, apparently), so once you've gotten to know one in depth, you'll find your way around others much faster. Using the GatewaySettings.bin magic constant, it's easy to find out where the file is created.

Many crypto functions use "magic" values themselves, so googling those often yields good results. Compare OpenSSL's DES_set_key_unchecked and parts of the disassembly of 0x8080d2fc for instance:

8080d358             li      v0, 0xf0f0f0f
[...]
8080d378             lui     v1, 0xcccc
[...]
8080d3ac             li      v1, 0x55555555
[...]
8080d3cc             li      v0, 0xff00ff

Then, it's a little bit of trial and error, keeping fingers crossed, cursing, and finally a "eureka!".

[tosbaha]

I was able extract the image with ProgramStore. However I still couldn't figure out the paramaters of IDA. I loaded extracted image to IDA

• Processor type I chose MIPS Big Endian [mipsb] I also tried with [mipsr]
• I ticked the box Create Ram section
• Set the Loading Address as 0x80004000

But it says please specify non-zero RAM size. I will really appreciate if you can tell me how to proceed step by step I am not good with this type of stuff. I just find them fascinating to learn.
Thanks once again for your continuous help.

[jclehner]

What's really interesting about your firmware is that I can run it on my spare TC7200.20, since it uses the same architecture ;)

[jclehner]

See this screenshot, shamelessly taken from stackexchange: you need to copy the value from "loading size" to "ram size".

[jclehner]

Using the latest version, please run:

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin

and

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image2,auto image2.bin

Hopefully the images are not corrupted this time. Sadly, I can't test flash reads on my TC7200.20, since it uses a different flash driver than your device.

[tosbaha]

I did git pull and make.

I also want to ask this. This router has predefined WPA password. Is it calculated somehow with an algorithm related to MAC address for example or it is kind a fused in factory?

First Command

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
detected profile cbw383zn(bfc), version 0081.799.009
failed to switch to super-user; some functions might not work
adjusting dump params: 0x00030000,92 -> 0x00030000,96

error: failed to open partition image1

context:
  ==> 'Console> '
' <== '/system/diag readmem -s 4 -n 16 0x8070244c
  ==> '/system/diag readmem -s 4 -n 16 0x8070244c/system/diag readmem -s 4 -n 16 0x8070244c'
  ==> (empty)
  ==> '8070244c: 00408021  93a50009  0c1bdbf8  8e440034 | .@.!.........D.4'
' <== '/system/diag readmem -s 4 -n 16 0x807023d4
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x807023d4/system/diag readmem -s 4 -n 16 0x807023d4'
  ==> (empty)
  ==> '807023d4: 8e440034  0c1bdac6  8fa5000c  1000009f | .D.4............'
' <== '/system/diag readmem -s 4 -n 16 0x80eb8a90
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80eb8a90/system/diag readmem -s 4 -n 16 0x80eb8a90'
  ==> (empty)
  ==> '80eb8a90: 61626c65  20636f6e  74656e74  733a0a00 | able contents:..'
' <== '/system/diag readmem -s 4 -n 16 0x80f89da0
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x80f89da0/system/diag readmem -s 4 -n 16 0x80f89da0'
  ==> (empty)
  ==> '80f89da0: 7235676d  00000000  72786761  696e6572 | r5gm....rxgainer'
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
' <== '/system/diag readmem -s 4 -n 16 0x80dc48d0
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80dc48d0/system/diag readmem -s 4 -n 16 0x80dc48d0'
  ==> (empty)
  ==> '80dc48d0: 30303900  25735f25  73000000  4342572d | 009.%s_%s...CBW-'
' <== 'su
  ==> (empty)
  ==> 'Console> susu'
  ==> (empty)
  ==> 'Error - what Unknown command:  'su''
  ==> (empty)
  ==> 'Console> '
' <== '/flash/open image1
  ==> '/flash/open image1/flash/open image1'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'Console> '
' <== 'exit
  ==> (empty)

Second Command

➜ ./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image2,auto image2.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16

read incomplete chunk 0x82f00014: 0/16; retrying
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
detected profile cbw383zn(bfc), version 0081.799.009
failed to switch to super-user; some functions might not work
adjusting dump params: 0x01000000,92 -> 0x01000000,96

error: failed to open partition image2

context:
  ==> (empty)
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x807023d4/system/diag readmem -s 4 -n 16 0x807023d4'
  ==> (empty)
  ==> '807023d4: 8e440034  0c1bdac6  8fa5000c  1000009f | .D.4............'
' <== '/system/diag readmem -s 4 -n 16 0x80eb8a90
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80eb8a90/system/diag readmem -s 4 -n 16 0x80eb8a90'
  ==> (empty)
  ==> '80eb8a90: 61626c65  20636f6e  74656e74  733a0a00 | able contents:..'
' <== '/system/diag readmem -s 4 -n 16 0x80f89da0
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80f89da0/system/diag readmem -s 4 -n 16 0x80f89da0'
  ==> (empty)
  ==> '80f89da0: 7235676d  00000000  72786761  696e6572 | r5gm....rxgainer'
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> (empty)
  ==> 'Console> '
  <== ''
  ==> '/system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
  ==> (empty)
  ==> 'Console> '
' <== '/system/diag readmem -s 4 -n 16 0x82f00014
  ==> 'Console> '
  ==> '/system/diag readmem -s 4 -n 16 0x82f00014/system/diag readmem -s 4 -n 16 0x82f00014'
  ==> (empty)
  ==> '82f00014: fbbdf1a2  6f7dcdf8  1a673cd7  0b75476b | ....o}...g<..uGk'
' <== '/system/diag readmem -s 4 -n 16 0x80dc48d0
  ==> (empty)
  ==> 'Console> /system/diag readmem -s 4 -n 16 0x80dc48d0/system/diag readmem -s 4 -n 16 0x80dc48d0'
  ==> (empty)
  ==> '80dc48d0: 30303900  25735f25  73000000  4342572d | 009.%s_%s...CBW-'
' <== 'su
  ==> (empty)
  ==> 'Console> susu'
  ==> (empty)
  ==> 'Error - what Unknown command:  'su''
  ==> (empty)
  ==> 'Console> '
' <== '/flash/open image2
  ==> '/flash/open image2/flash/open image2'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'Console> '
' <== 'exit

[jclehner]

Ah yes, try the latest commit. It didn't try the su alternative.

[tosbaha]

This method looks extremely slow it is reporting 35 minutes. Then it crashed. I don't know why we are doing this slow method though. Previous one gets firmware nicely and quite fast.

./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image1,auto image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
detected profile cbw383zn(bfc), version 0081.799.009
adjusting dump params: 0x81204074,4 -> 0x81204074,16
adjusting dump params: 0x00030000,92 -> 0x00030000,96
adjusting dump params: 0x00030000,7162777 -> 0x00030000,7162784
dumping flash:0x00030000-0x00704b9f (7162784 b)
   0.01% (0x00030200)      0 |     0  bytes/s (ETA      00:00:00)  ecram_sto.bin (0x8364, 7162685 b)
   0.16% (0x00032e00)   4.50k|  3.33k bytes/s (ETA      00:34:55)
read incomplete chunk 0x00032e00: 0/512; retrying
   0.29% (0x00035200)   5.00k|  3.70k bytes/s (ETA      00:31:25)
read incomplete chunk 0x00035200: 0/512; retrying
   0.35% (0x00036200)   3.50k|  3.67k bytes/s (ETA      00:31:42)
read incomplete chunk 0x00036200: 0/512; retrying
   0.48% (0x00038600)   4.50k|  3.75k bytes/s (ETA      00:30:57)
read incomplete chunk 0x00038600: 0/512; retrying
   0.68% (0x0003be00)   5.00k|  3.91k bytes/s (ETA      00:29:38)
read incomplete chunk 0x0003be00: 0/512; retrying
   0.81% (0x0003e200)   4.50k|  4.00k bytes/s (ETA      00:28:54)
read incomplete chunk 0x0003e200: 0/512; retrying
   0.86% (0x0003f200)   3.50k|  3.97k bytes/s (ETA      00:29:08)
read incomplete chunk 0x0003f200: 0/512; retrying
   1.07% (0x00042a00)   5.00k|  4.03k bytes/s (ETA      00:28:38)
read incomplete chunk 0x00042a00: 0/512; retrying
   1.19% (0x00044e00)   4.50k|  4.02k bytes/s (ETA      00:28:38)
read incomplete chunk 0x00044e00: 0/512; retrying
   1.25% (0x00045e00)   3.50k|  4.00k bytes/s (ETA      00:28:47)
read incomplete chunk 0x00045e00: 0/512; retrying
   1.59% (0x0004be00)   4.50k|  4.11k bytes/s (ETA      00:27:54)
read incomplete chunk 0x0004be00: 0/512; retrying
   2.14% (0x00055800)   5.00k|  4.19k bytes/s (ETA      00:27:16)
read incomplete chunk 0x00055800: 0/512; retrying
   2.22% (0x00056c00)   4.00k|  4.17k bytes/s (ETA      00:27:18)
read incomplete chunk 0x00056c00: 0/512; retrying
   2.25% (0x00057600)   2.00k|  4.04k bytes/s (ETA      00:28:13)
read incomplete chunk 0x00057600: 0/512; retrying
   2.59% (0x0005d600)   4.50k|  4.08k bytes/s (ETA      00:27:50)
read incomplete chunk 0x0005d600: 0/512; retrying
   2.79% (0x00060e00)   5.00k|  4.10k bytes/s (ETA      00:27:40)
read incomplete chunk 0x00060e00: 0/512; retrying
   2.92% (0x00063200)   4.50k|  4.09k bytes/s (ETA      00:27:40)
read incomplete chunk 0x00063200: 0/512; retrying
   2.98% (0x00064200)   4.50k|  4.10k bytes/s (ETA      00:27:36)
read incomplete chunk 0x00064200: 0/512; retrying
   3.32% (0x0006a200)   4.50k|  4.12k bytes/s (ETA      00:27:19)
read incomplete chunk 0x0006a200: 0/512; retrying
   3.52% (0x0006da00)   5.00k|  4.13k bytes/s (ETA      00:27:12)
read incomplete chunk 0x0006da00: 0/512; retrying
   3.65% (0x0006fe00)   4.50k|  4.13k bytes/s (ETA      00:27:12)
read incomplete chunk 0x0006fe00: 0/512; retrying
   3.85% (0x00073600)   5.00k|  4.14k bytes/s (ETA      00:27:05)
read incomplete chunk 0x00073600: 0/512; retrying
   3.98% (0x00075a00)   4.50k|  4.15k bytes/s (ETA      00:26:59)
read incomplete chunk 0x00075a00: 0/512; retrying
   4.18% (0x00079200)   5.00k|  4.16k bytes/s (ETA      00:26:52)
read incomplete chunk 0x00079200: 0/512; retrying
   4.31% (0x0007b600)   4.50k|  4.15k bytes/s (ETA      00:26:52)
read incomplete chunk 0x0007b600: 0/512; retrying
   4.35% (0x0007c200)   3.50k|  4.14k bytes/s (ETA      00:26:55)
read incomplete chunk 0x0007c200: 0/512; retrying
   4.37% (0x0007c800)   3.00k|  4.13k bytes/s (ETA      00:27:00)
read incomplete chunk 0x0007c800: 0/512; retrying
   4.42% (0x0007d600)   3.00k|  4.11k bytes/s (ETA      00:27:05)
read incomplete chunk 0x0007d600: 0/512; retrying

read incomplete chunk 0x0007d600: 0/512; retrying
   4.43% (0x0007d800)   3.00k|  4.11k bytes/s (ETA      00:27:05)
read incomplete chunk 0x0007d800: 0/512; retrying

read incomplete chunk 0x0007d800: 0/512; retrying
   4.45% (0x0007dc00)   2.00k|  4.08k bytes/s (ETA      00:27:16)
read incomplete chunk 0x0007dc00: 0/512; retrying
   4.50% (0x0007ec00)   3.50k|  4.04k bytes/s (ETA      00:27:34)
read incomplete chunk 0x0007ec00: 0/512; retrying
   4.56% (0x0007fc00)   4.00k|  4.04k bytes/s (ETA      00:27:33)
read incomplete chunk 0x0007fc00: 0/512; retrying
   4.62% (0x00080c00)   3.50k|  4.03k bytes/s (ETA      00:27:35)
read incomplete chunk 0x00080c00: 0/512; retrying
   4.71% (0x00082600)   3.50k|  4.02k bytes/s (ETA      00:27:37)
read incomplete chunk 0x00082600: 0/512; retrying
   4.72% (0x00082a00)   4.00k|  4.02k bytes/s (ETA      00:27:36)
read incomplete chunk 0x00082a00: 0/512; retrying
   4.85% (0x00084c00)   4.50k|  3.96k bytes/s (ETA      00:28:02)
read incomplete chunk 0x00084c00: 0/512; retrying
   4.98% (0x00087000)   4.50k|  3.96k bytes/s (ETA      00:27:59)
read incomplete chunk 0x00087000: 0/512; retrying
   5.18% (0x0008a800)   5.00k|  3.97k bytes/s (ETA      00:27:51)
read incomplete chunk 0x0008a800: 0/512; retrying
   5.38% (0x0008e000)   4.50k|  3.99k bytes/s (ETA      00:27:39)
read incomplete chunk 0x0008e000: 0/512; retrying
   5.50% (0x00090400)   5.00k|  3.99k bytes/s (ETA      00:27:35)
read incomplete chunk 0x00090400: 0/512; retrying
   5.56% (0x00091400)   3.50k|  3.99k bytes/s (ETA      00:27:36)
read incomplete chunk 0x00091400: 0/512; retrying
   5.69% (0x00093800)   4.50k|  3.99k bytes/s (ETA      00:27:34)
read incomplete chunk 0x00093800: 0/512; retrying
   5.75% (0x00094800)   3.50k|  3.98k bytes/s (ETA      00:27:35)
read incomplete chunk 0x00094800: 0/512; retrying
   5.95% (0x00098000)   5.00k|  4.00k bytes/s (ETA      00:27:27)
read incomplete chunk 0x00098000: 0/512; retrying
   6.15% (0x0009b800)   4.50k|  4.01k bytes/s (ETA      00:27:17)
read incomplete chunk 0x0009b800: 0/512; retrying
   6.28% (0x0009dc00)   5.00k|  4.01k bytes/s (ETA      00:27:13)
read incomplete chunk 0x0009dc00: 0/512; retrying
   6.48% (0x000a1400)   4.50k|  4.02k bytes/s (ETA      00:27:09)
read incomplete chunk 0x000a1400: 0/512; retrying
   6.53% (0x000a2400)   3.50k|  4.01k bytes/s (ETA      00:27:10)
read incomplete chunk 0x000a2400: 0/512; retrying
   6.59% (0x000a3400)   4.00k|  4.01k bytes/s (ETA      00:27:09)
read incomplete chunk 0x000a3400: 0/512; retrying
   6.79% (0x000a6c00)   4.50k|  4.03k bytes/s (ETA      00:26:59)
read incomplete chunk 0x000a6c00: 0/512; retrying
   6.96% (0x000a9a00)   4.50k|  4.02k bytes/s (ETA      00:26:58)
read incomplete chunk 0x000a9a00: 0/512; retrying
   6.97% (0x000a9e00)   4.00k|  4.02k bytes/s (ETA      00:26:57)
read incomplete chunk 0x000a9e00: 0/512; retrying
   7.10% (0x000ac200)   4.50k|  4.02k bytes/s (ETA      00:26:57)
read incomplete chunk 0x000ac200: 0/512; retrying
   7.30% (0x000afa00)   5.00k|  4.03k bytes/s (ETA      00:26:50)
read incomplete chunk 0x000afa00: 0/512; retrying
   7.33% (0x000b0200)   3.50k|  4.02k bytes/s (ETA      00:26:51)
read incomplete chunk 0x000b0200: 0/512; retrying
   7.33% (0x000b0400)   3.50k|  4.02k bytes/s (ETA      00:26:51)
read incomplete chunk 0x000b0400: 0/512; retrying
   7.53% (0x000b3c00)   4.50k|  4.02k bytes/s (ETA      00:26:47)
read incomplete chunk 0x000b3c00: 0/512; retrying
   7.66% (0x000b6000)   5.00k|  4.03k bytes/s (ETA      00:26:44)
read incomplete chunk 0x000b6000: 0/512; retrying
   7.86% (0x000b9800)   4.50k|  4.03k bytes/s (ETA      00:26:40)
read incomplete chunk 0x000b9800: 0/512; retrying
   7.99% (0x000bbc00)   5.00k|  4.03k bytes/s (ETA      00:26:36)
read incomplete chunk 0x000bbc00: 0/512; retrying
   8.05% (0x000bcc00)   3.50k|  4.03k bytes/s (ETA      00:26:37)
read incomplete chunk 0x000bcc00: 0/512; retrying
   8.25% (0x000c0400)   4.50k|  4.03k bytes/s (ETA      00:26:33)
read incomplete chunk 0x000c0400: 0/512; retrying
   8.38% (0x000c2800)   5.00k|  4.04k bytes/s (ETA      00:26:25)
read incomplete chunk 0x000c2800: 0/512; retrying
   8.58% (0x000c6000)   4.50k|  4.04k bytes/s (ETA      00:26:22)
read incomplete chunk 0x000c6000: 0/512; retrying
   8.71% (0x000c8400)   5.00k|  4.05k bytes/s (ETA      00:26:18)
read incomplete chunk 0x000c8400: 0/512; retrying
   8.76% (0x000c9400)   3.50k|  4.04k bytes/s (ETA      00:26:19)
read incomplete chunk 0x000c9400: 0/512; retrying
   8.96% (0x000ccc00)   4.50k|  4.04k bytes/s (ETA      00:26:15)
read incomplete chunk 0x000ccc00: 0/512; retrying
   9.02% (0x000cdc00)   4.50k|  4.05k bytes/s (ETA      00:26:13)
read incomplete chunk 0x000cdc00: 0/512; retrying
   9.15% (0x000d0000)   4.50k|  4.05k bytes/s (ETA      00:26:09)
read incomplete chunk 0x000d0000: 0/512; retrying
   9.35% (0x000d3800)   5.00k|  4.06k bytes/s (ETA      00:26:03)
read incomplete chunk 0x000d3800: 0/512; retrying
   9.55% (0x000d7000)   4.50k|  4.06k bytes/s (ETA      00:25:59)
read incomplete chunk 0x000d7000: 0/512; retrying
   9.68% (0x000d9400)   5.00k|  4.06k bytes/s (ETA      00:25:57)
read incomplete chunk 0x000d9400: 0/512; retrying
   9.74% (0x000da400)   3.50k|  4.06k bytes/s (ETA      00:25:57)
read incomplete chunk 0x000da400: 0/512; retrying
   9.86% (0x000dc800)   4.00k|  4.06k bytes/s (ETA      00:25:55)
read incomplete chunk 0x000dc800: 0/512; retrying
   9.92% (0x000dd800)   3.50k|  4.06k bytes/s (ETA      00:25:52)
read incomplete chunk 0x000dd800: 0/512; retrying
  10.12% (0x000e1000)   5.00k|  4.06k bytes/s (ETA      00:25:47)
read incomplete chunk 0x000e1000: 0/512; retrying
  10.25% (0x000e3400)   4.50k|  4.06k bytes/s (ETA      00:25:45)
read incomplete chunk 0x000e3400: 0/512; retrying
  10.36% (0x000e5200)   4.50k|  4.06k bytes/s (ETA      00:25:44)
read incomplete chunk 0x000e5200: 0/512; retrying
  10.39% (0x000e5a00)   3.50k|  4.06k bytes/s (ETA      00:25:44)
read incomplete chunk 0x000e5a00: 0/512; retrying
  10.41% (0x000e6000)   3.50k|  4.06k bytes/s (ETA      00:25:44)
read incomplete chunk 0x000e6000: 0/512; retrying
  10.61% (0x000e9800)   4.50k|  4.05k bytes/s (ETA      00:25:44)
read incomplete chunk 0x000e9800: 0/512; retrying
  10.81% (0x000ed000)   5.00k|  4.06k bytes/s (ETA      00:25:36)
read incomplete chunk 0x000ed000: 0/512; retrying
  10.94% (0x000ef400)   4.50k|  4.06k bytes/s (ETA      00:25:34)
read incomplete chunk 0x000ef400: 0/512; retrying
  11.14% (0x000f2c00)   5.00k|  4.07k bytes/s (ETA      00:25:29)
read incomplete chunk 0x000f2c00: 0/512; retrying
  11.19% (0x000f3c00)   3.50k|  4.06k bytes/s (ETA      00:25:29)
read incomplete chunk 0x000f3c00: 0/512; retrying
  11.32% (0x000f6000)   4.50k|  4.06k bytes/s (ETA      00:25:28)
read incomplete chunk 0x000f6000: 0/512; retrying
  11.52% (0x000f9800)   5.00k|  4.07k bytes/s (ETA      00:25:20)
read incomplete chunk 0x000f9800: 0/512; retrying
  11.72% (0x000fd000)   4.50k|  4.07k bytes/s (ETA      00:25:17)
read incomplete chunk 0x000fd000: 0/512; retrying
  11.85% (0x000ff400)   5.00k|  4.07k bytes/s (ETA      00:25:14)
read incomplete chunk 0x000ff400: 0/512; retrying
  11.91% (0x00100400)   3.50k|  4.07k bytes/s (ETA      00:25:14)
read incomplete chunk 0x00100400: 0/512; retrying
  11.97% (0x00101400)   3.50k|  4.07k bytes/s (ETA      00:25:14)
read incomplete chunk 0x00101400: 0/512; retrying
  12.09% (0x00103800)   4.50k|  4.07k bytes/s (ETA      00:25:12)
read incomplete chunk 0x00103800: 0/512; retrying
  12.22% (0x00105c00)   4.00k|  4.07k bytes/s (ETA      00:25:09)
read incomplete chunk 0x00105c00: 0/512; retrying
  12.42% (0x00109400)   4.50k|  4.07k bytes/s (ETA      00:25:03)
read incomplete chunk 0x00109400: 0/512; retrying
  12.55% (0x0010b800)   5.00k|  4.08k bytes/s (ETA      00:25:01)
read incomplete chunk 0x0010b800: 0/512; retrying
  12.75% (0x0010f000)   4.50k|  4.08k bytes/s (ETA      00:24:57)
read incomplete chunk 0x0010f000: 0/512; retrying
  12.95% (0x00112800)   5.00k|  4.08k bytes/s (ETA      00:24:52)
read incomplete chunk 0x00112800: 0/512; retrying
  13.08% (0x00114c00)   4.50k|  4.08k bytes/s (ETA      00:24:48)
read incomplete chunk 0x00114c00: 0/512; retrying
  13.28% (0x00118400)   5.00k|  4.09k bytes/s (ETA      00:24:44)
read incomplete chunk 0x00118400: 0/512; retrying
  13.35% (0x00119800)   3.50k|  4.08k bytes/s (ETA      00:24:44)
read incomplete chunk 0x00119800: 0/512; retrying

read incomplete chunk 0x00119800: 0/512; retrying

read incomplete chunk 0x00119800: 0/512; retrying

read incomplete chunk 0x00119800: 0/512; retrying

read incomplete chunk 0x00119800: 0/512; retrying

error: read incomplete chunk 0x00119800: 0/512

context:
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 956416 bytes into the region:'
  ==> (empty)
  ==> '29a690db 187f58ff 8d54bf9c da4552b9 a9d98325 16a84ac9 cd6e62d9 ec4246c1 5a973b7a 8ef02994 04ad0bd1 f6d626b1 c33374b4 bb9129c1 d297c62b def70341 34a688b3 59d5eb55 3f59df60 bd10bd1e f221f593 c2971c88 be30334e a0dca457 fbef4129 b1f1785f d3e0e5c0 3c062b13 256468b8 80916caf d5818d25 f4322e75 5dccd1b8 c82648f2 490a5c16 918c3684 304368e6 ba95aef5 bae2d405 fe1bac80 5eb19a75 0c524947 4b083bd9 3d4a5eb6 0651c415 e88433bd 7b99fec8 c1b152df 462c87f8 dc06bf72 893d1628 33a187ff bf0e5151 c73bfe86 0d13d80e 48081854 89eba177 37d2e741 ea0e4124 959cfa17 f6b40892 4198872b c8747056 0b7273d4 69027542 eb5c05a9 b4179925 37b6ea8d e943c10a 72118c63 e0c6e4de 44816e91 4bca3fad b8a8f5b3 bfe9c1b8 023c72af 67f1542f 65217e62 44e2f835 0336c61d bb884b48 c6dfa06a cef8ef86 d51a49d9 ce59fed9 d42774dc 30eb1009 cae7925c f4a11d24 3e2ad8fd 3c240b4a 88815f8d 2e230a87 2db04d29 201d0cf7 4e0c927c 896ef3f0 ad43d8c9 919b68eb 6f322689 fd51cf50 6dce1a8c 25c054a5 f31c2c88 e3c8bbbc c7c2a305 c4ef6229 f946b164 6d86d026 8837b69b e87255ef 0d5c7da2 a6126a09 2c255362 7d871fc2 d198d2cc 0a1f489f bc7be6fc 808c4405 0a0fd15e e0941abd 3006746f 2adf8b8b 4494e2a7 1c1fa887 c7ef4b4e 108a4485 4d736cfa '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 956416
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 956416/flash/read 4 512 956416'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 956416 bytes into the region:'
  ==> (empty)
  ==> '29a690db 187f58ff 8d54bf9c da4552b9 a9d98325 16a84ac9 cd6e62d9 ec4246c1 5a973b7a 8ef02994 04ad0bd1 f6d626b1 c33374b4 bb9129c1 d297c62b def70341 34a688b3 59d5eb55 3f59df60 bd10bd1e f221f593 c2971c88 be30334e a0dca457 fbef4129 b1f1785f d3e0e5c0 3c062b13 256468b8 80916caf d5818d25 f4322e75 5dccd1b8 c82648f2 490a5c16 918c3684 304368e6 ba95aef5 bae2d405 fe1bac80 5eb19a75 0c524947 4b083bd9 3d4a5eb6 0651c415 e88433bd 7b99fec8 c1b152df 462c87f8 dc06bf72 893d1628 33a187ff bf0e5151 c73bfe86 0d13d80e 48081854 89eba177 37d2e741 ea0e4124 959cfa17 f6b40892 4198872b c8747056 0b7273d4 69027542 eb5c05a9 b4179925 37b6ea8d e943c10a 72118c63 e0c6e4de 44816e91 4bca3fad b8a8f5b3 bfe9c1b8 023c72af 67f1542f 65217e62 44e2f835 0336c61d bb884b48 c6dfa06a cef8ef86 d51a49d9 ce59fed9 d42774dc 30eb1009 cae7925c f4a11d24 3e2ad8fd 3c240b4a 88815f8d 2e230a87 2db04d29 201d0cf7 4e0c927c 896ef3f0 ad43d8c9 919b68eb 6f322689 fd51cf50 6dce1a8c 25c054a5 f31c2c88 e3c8bbbc c7c2a305 c4ef6229 f946b164 6d86d026 8837b69b e87255ef 0d5c7da2 a6126a09 2c255362 7d871fc2 d198d2cc 0a1f489f bc7be6fc 808c4405 0a0fd15e e0941abd 3006746f 2adf8b8b 4494e2a7 1c1fa887 c7ef4b4e 108a4485 4d736cfa '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 956416
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 956416/flash/read 4 512 956416'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 956416 bytes into the region:'
  ==> (empty)
  ==> '29a690db 187f58ff 8d54bf9c da4552b9 a9d98325 16a84ac9 cd6e62d9 ec4246c1 5a973b7a 8ef02994 04ad0bd1 f6d626b1 c33374b4 bb9129c1 d297c62b def70341 34a688b3 59d5eb55 3f59df60 bd10bd1e f221f593 c2971c88 be30334e a0dca457 fbef4129 b1f1785f d3e0e5c0 3c062b13 256468b8 80916caf d5818d25 f4322e75 5dccd1b8 c82648f2 490a5c16 918c3684 304368e6 ba95aef5 bae2d405 fe1bac80 5eb19a75 0c524947 4b083bd9 3d4a5eb6 0651c415 e88433bd 7b99fec8 c1b152df 462c87f8 dc06bf72 893d1628 33a187ff bf0e5151 c73bfe86 0d13d80e 48081854 89eba177 37d2e741 ea0e4124 959cfa17 f6b40892 4198872b c8747056 0b7273d4 69027542 eb5c05a9 b4179925 37b6ea8d e943c10a 72118c63 e0c6e4de 44816e91 4bca3fad b8a8f5b3 bfe9c1b8 023c72af 67f1542f 65217e62 44e2f835 0336c61d bb884b48 c6dfa06a cef8ef86 d51a49d9 ce59fed9 d42774dc 30eb1009 cae7925c f4a11d24 3e2ad8fd 3c240b4a 88815f8d 2e230a87 2db04d29 201d0cf7 4e0c927c 896ef3f0 ad43d8c9 919b68eb 6f322689 fd51cf50 6dce1a8c 25c054a5 f31c2c88 e3c8bbbc c7c2a305 c4ef6229 f946b164 6d86d026 8837b69b e87255ef 0d5c7da2 a6126a09 2c255362 7d871fc2 d198d2cc 0a1f489f bc7be6fc 808c4405 0a0fd15e e0941abd 3006746f 2adf8b8b 4494e2a7 1c1fa887 c7ef4b4e 108a4485 4d736cfa '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 956416
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 956416/flash/read 4 512 956416'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 956416 bytes into the region:'
  ==> (empty)
  ==> '29a690db 187f58ff 8d54bf9c da4552b9 a9d98325 16a84ac9 cd6e62d9 ec4246c1 5a973b7a 8ef02994 04ad0bd1 f6d626b1 c33374b4 bb9129c1 d297c62b def70341 34a688b3 59d5eb55 3f59df60 bd10bd1e f221f593 c2971c88 be30334e a0dca457 fbef4129 b1f1785f d3e0e5c0 3c062b13 256468b8 80916caf d5818d25 f4322e75 5dccd1b8 c82648f2 490a5c16 918c3684 304368e6 ba95aef5 bae2d405 fe1bac80 5eb19a75 0c524947 4b083bd9 3d4a5eb6 0651c415 e88433bd 7b99fec8 c1b152df 462c87f8 dc06bf72 893d1628 33a187ff bf0e5151 c73bfe86 0d13d80e 48081854 89eba177 37d2e741 ea0e4124 959cfa17 f6b40892 4198872b c8747056 0b7273d4 69027542 eb5c05a9 b4179925 37b6ea8d e943c10a 72118c63 e0c6e4de 44816e91 4bca3fad b8a8f5b3 bfe9c1b8 023c72af 67f1542f 65217e62 44e2f835 0336c61d bb884b48 c6dfa06a cef8ef86 d51a49d9 ce59fed9 d42774dc 30eb1009 cae7925c f4a11d24 3e2ad8fd 3c240b4a 88815f8d 2e230a87 2db04d29 201d0cf7 4e0c927c 896ef3f0 ad43d8c9 919b68eb 6f322689 fd51cf50 6dce1a8c 25c054a5 f31c2c88 e3c8bbbc c7c2a305 c4ef6229 f946b164 6d86d026 8837b69b e87255ef 0d5c7da2 a6126a09 2c255362 7d871fc2 d198d2cc 0a1f489f bc7be6fc 808c4405 0a0fd15e e0941abd 3006746f 2adf8b8b 4494e2a7 1c1fa887 c7ef4b4e 108a4485 4d736cfa '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 956416
  ==> (empty)
  ==> 'CM> '
' <== '/flash/close
  ==> '/flash/read 4 512 956416/flash/read 4 512 956416'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 956416 bytes into the region:'
  ==> (empty)
  ==> '29a690db 187f58ff 8d54bf9c da4552b9 a9d98325 16a84ac9 cd6e62d9 ec4246c1 5a973b7a 8ef02994 04ad0bd1 f6d626b1 c33374b4 bb9129c1 d297c62b def70341 34a688b3 59d5eb55 3f59df60 bd10bd1e f221f593 c2971c88 be30334e a0dca457 fbef4129 b1f1785f d3e0e5c0 3c062b13 256468b8 80916caf d5818d25 f4322e75 5dccd1b8 c82648f2 490a5c16 918c3684 304368e6 ba95aef5 bae2d405 fe1bac80 5eb19a75 0c524947 4b083bd9 3d4a5eb6 0651c415 e88433bd 7b99fec8 c1b152df 462c87f8 dc06bf72 893d1628 33a187ff bf0e5151 c73bfe86 0d13d80e 48081854 89eba177 37d2e741 ea0e4124 959cfa17 f6b40892 4198872b c8747056 0b7273d4 69027542 eb5c05a9 b4179925 37b6ea8d e943c10a 72118c63 e0c6e4de 44816e91 4bca3fad b8a8f5b3 bfe9c1b8 023c72af 67f1542f 65217e62 44e2f835 0336c61d bb884b48 c6dfa06a cef8ef86 d51a49d9 ce59fed9 d42774dc 30eb1009 cae7925c f4a11d24 3e2ad8fd 3c240b4a 88815f8d 2e230a87 2db04d29 201d0cf7 4e0c927c 896ef3f0 ad43d8c9 919b68eb 6f322689 fd51cf50 6dce1a8c 25c054a5 f31c2c88 e3c8bbbc c7c2a305 c4ef6229 f946b164 6d86d026 8837b69b e87255ef 0d5c7da2 a6126a09 2c255362 7d871fc2 d198d2cc 0a1f489f bc7be6fc 808c4405 0a0fd15e e0941abd 3006746f 2adf8b8b 4494e2a7 1c1fa887 c7ef4b4e 108a4485 4d736cfa '
  ==> (empty)
  ==> 'CM> '
' <== 'exit

[tosbaha]

Second command you said, crashed at 62%
./bcm2dump -vv dump '192.168.0.1,H@ly_Je$u$,Ble$$_Y@u>>^.^Day' flash image2,auto image2.bin

  62.80% (0x0144ee00)   4.50k|  3.91k bytes/s (ETA      00:11:08)
read incomplete chunk 0x0144ee00: 0/512; retrying

read incomplete chunk 0x0144ee00: 0/512; retrying

read incomplete chunk 0x0144ee00: 0/512; retrying

read incomplete chunk 0x0144ee00: 0/512; retrying

read incomplete chunk 0x0144ee00: 0/512; retrying

error: read incomplete chunk 0x0144ee00: 0/512

context:
' <== '/flash/read 4 512 4517376
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 4517376/flash/read 4 512 4517376'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 4517376 bytes into the region:'
  ==> (empty)
  ==> 'bc5ce72c 6e469aed 7299d44d 95057719 f775e4b1 3daf60ea 428c88d0 d1e84cf7 6577a0e3 30f8bf0b 4c2cb867 0f26f0dd fedd0ae2 cb8f4721 86a35a12 c5deafb9 18d36166 d69be777 9fd38c06 aa77293a 08e5ea50 14e99c88 e3b7afeb ee71eee8 ccdef9c7 d129fed4 6f5bd6ab 8ad67653 6320bd5e 948e4c60 6d14522f 75cab50d 608e57a3 ff96c642 3c868f59 9eff6637 273afd1a c7413d20 1e29b531 ca821a32 4b1ad09b 684f46d8 a41b6999 8ecdbbf2 e38f124f f097e1c2 2260fa9f 5975c64f 077e3f3d 15afd2f8 688b6bfc 135ae68f 0aa49e16 a2ef113e 4ee02b5d 6ee5ee4e d5cda2bd 9b21f08f 578862ea 9d5111c3 9eabc0ba 556fbe0d 18408ef3 8d1d584f f810f184 914a5b86 cb9b0dbb e859f7e8 7891ab52 78605ce0 4eadb047 a07dbe87 44695bb5 1be90725 de0fb509 50e303e4 5a2d4342 93f8e5b3 270b387a 9e0a5052 afd8d027 ada5ae73 acc75f82 a77d57c6 22251277 5e1269b5 390bc2ba 14449f8f 5529c734 a4cc7e2e e240074b 1af32108 0158d1ef ebe5c0d7 68daa0a5 a04be44d 474c1a8e eef52a8a 4a011057 09b42dec 2d9875cc 6ede2877 a735f9cd 57f4aab0 299f495d e7baff6c d39914ae 667e7970 38674f70 f2d030dc f1a3ff35 e7d01bd7 7eb36114 fcc15774 4c14a66c 2ce242f8 f92875bb 05c05b1b e67684ec 87339e06 bc0a5b40 c7b4f9cb 19e30f2d 1e00e839 71f1cb20 1cce053a f794389a 0dffcfa2 '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 4517376
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 4517376/flash/read 4 512 4517376'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 4517376 bytes into the region:'
  ==> (empty)
  ==> 'bc5ce72c 6e469aed 7299d44d 95057719 f775e4b1 3daf60ea 428c88d0 d1e84cf7 6577a0e3 30f8bf0b 4c2cb867 0f26f0dd fedd0ae2 cb8f4721 86a35a12 c5deafb9 18d36166 d69be777 9fd38c06 aa77293a 08e5ea50 14e99c88 e3b7afeb ee71eee8 ccdef9c7 d129fed4 6f5bd6ab 8ad67653 6320bd5e 948e4c60 6d14522f 75cab50d 608e57a3 ff96c642 3c868f59 9eff6637 273afd1a c7413d20 1e29b531 ca821a32 4b1ad09b 684f46d8 a41b6999 8ecdbbf2 e38f124f f097e1c2 2260fa9f 5975c64f 077e3f3d 15afd2f8 688b6bfc 135ae68f 0aa49e16 a2ef113e 4ee02b5d 6ee5ee4e d5cda2bd 9b21f08f 578862ea 9d5111c3 9eabc0ba 556fbe0d 18408ef3 8d1d584f f810f184 914a5b86 cb9b0dbb e859f7e8 7891ab52 78605ce0 4eadb047 a07dbe87 44695bb5 1be90725 de0fb509 50e303e4 5a2d4342 93f8e5b3 270b387a 9e0a5052 afd8d027 ada5ae73 acc75f82 a77d57c6 22251277 5e1269b5 390bc2ba 14449f8f 5529c734 a4cc7e2e e240074b 1af32108 0158d1ef ebe5c0d7 68daa0a5 a04be44d 474c1a8e eef52a8a 4a011057 09b42dec 2d9875cc 6ede2877 a735f9cd 57f4aab0 299f495d e7baff6c d39914ae 667e7970 38674f70 f2d030dc f1a3ff35 e7d01bd7 7eb36114 fcc15774 4c14a66c 2ce242f8 f92875bb 05c05b1b e67684ec 87339e06 bc0a5b40 c7b4f9cb 19e30f2d 1e00e839 71f1cb20 1cce053a f794389a 0dffcfa2 '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 4517376
  ==> (empty)
  ==> 'CM> '
  <== ''
  ==> '/flash/read 4 512 4517376/flash/read 4 512 4517376'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 4517376 bytes into the region:'
  ==> (empty)
  ==> 'bc5ce72c 6e469aed 7299d44d 95057719 f775e4b1 3daf60ea 428c88d0 d1e84cf7 6577a0e3 30f8bf0b 4c2cb867 0f26f0dd fedd0ae2 cb8f4721 86a35a12 c5deafb9 18d36166 d69be777 9fd38c06 aa77293a 08e5ea50 14e99c88 e3b7afeb ee71eee8 ccdef9c7 d129fed4 6f5bd6ab 8ad67653 6320bd5e 948e4c60 6d14522f 75cab50d 608e57a3 ff96c642 3c868f59 9eff6637 273afd1a c7413d20 1e29b531 ca821a32 4b1ad09b 684f46d8 a41b6999 8ecdbbf2 e38f124f f097e1c2 2260fa9f 5975c64f 077e3f3d 15afd2f8 688b6bfc 135ae68f 0aa49e16 a2ef113e 4ee02b5d 6ee5ee4e d5cda2bd 9b21f08f 578862ea 9d5111c3 9eabc0ba 556fbe0d 18408ef3 8d1d584f f810f184 914a5b86 cb9b0dbb e859f7e8 7891ab52 78605ce0 4eadb047 a07dbe87 44695bb5 1be90725 de0fb509 50e303e4 5a2d4342 93f8e5b3 270b387a 9e0a5052 afd8d027 ada5ae73 acc75f82 a77d57c6 22251277 5e1269b5 390bc2ba 14449f8f 5529c734 a4cc7e2e e240074b 1af32108 0158d1ef ebe5c0d7 68daa0a5 a04be44d 474c1a8e eef52a8a 4a011057 09b42dec 2d9875cc 6ede2877 a735f9cd 57f4aab0 299f495d e7baff6c d39914ae 667e7970 38674f70 f2d030dc f1a3ff35 e7d01bd7 7eb36114 fcc15774 4c14a66c 2ce242f8 f92875bb 05c05b1b e67684ec 87339e06 bc0a5b40 c7b4f9cb 19e30f2d 1e00e839 71f1cb20 1cce053a f794389a 0dffcfa2 '
  ==> (empty)
  ==> 'CM> '
' <== '/flash/read 4 512 4517376
  ==> (empty)
  ==> 'CM> '
' <== '/flash/close
  ==> '/flash/read 4 512 4517376/flash/read 4 512 4517376'
  ==> (empty)
  ==> 'Reading 512 bytes as 4-byte entities, starting at an offset of 4517376 bytes into the region:'
  ==> (empty)
  ==> 'bc5ce72c 6e469aed 7299d44d 95057719 f775e4b1 3daf60ea 428c88d0 d1e84cf7 6577a0e3 30f8bf0b 4c2cb867 0f26f0dd fedd0ae2 cb8f4721 86a35a12 c5deafb9 18d36166 d69be777 9fd38c06 aa77293a 08e5ea50 14e99c88 e3b7afeb ee71eee8 ccdef9c7 d129fed4 6f5bd6ab 8ad67653 6320bd5e 948e4c60 6d14522f 75cab50d 608e57a3 ff96c642 3c868f59 9eff6637 273afd1a c7413d20 1e29b531 ca821a32 4b1ad09b 684f46d8 a41b6999 8ecdbbf2 e38f124f f097e1c2 2260fa9f 5975c64f 077e3f3d 15afd2f8 688b6bfc 135ae68f 0aa49e16 a2ef113e 4ee02b5d 6ee5ee4e d5cda2bd 9b21f08f 578862ea 9d5111c3 9eabc0ba 556fbe0d 18408ef3 8d1d584f f810f184 914a5b86 cb9b0dbb e859f7e8 7891ab52 78605ce0 4eadb047 a07dbe87 44695bb5 1be90725 de0fb509 50e303e4 5a2d4342 93f8e5b3 270b387a 9e0a5052 afd8d027 ada5ae73 acc75f82 a77d57c6 22251277 5e1269b5 390bc2ba 14449f8f 5529c734 a4cc7e2e e240074b 1af32108 0158d1ef ebe5c0d7 68daa0a5 a04be44d 474c1a8e eef52a8a 4a011057 09b42dec 2d9875cc 6ede2877 a735f9cd 57f4aab0 299f495d e7baff6c d39914ae 667e7970 38674f70 f2d030dc f1a3ff35 e7d01bd7 7eb36114 fcc15774 4c14a66c 2ce242f8 f92875bb 05c05b1b e67684ec 87339e06 bc0a5b40 c7b4f9cb 19e30f2d 1e00e839 71f1cb20 1cce053a f794389a 0dffcfa2 '
  ==> (empty)
  ==> 'CM> '
  ==> '/flash/close/flash/close'
  ==> (empty)
  ==> 'Flash driver closed.'
  ==> (empty)
  ==> 'CM> '
' <== 'exit

[jclehner]

Strange, but try now with the latest version!

[tosbaha]

I just tried both methods and uploaded two files. I checked the MD5 of files and it seems dumping image2 gives the correct image.Its MD5 is 6f8a33e0ef781526da1502d048a90688 just like #7 (comment)

https://www70.zippyshare.com/v/5tC6PquT/file.html

[jclehner]

Thanks, maybe image1 is corrupted on flash, but the two dumps differ. Dumping via the shell is broken in some firmwares, but as long as image2 works, I'm content :)

Closing this now, but feel free to contact me, should questions arise.