Immortal
09-08-2008, 02:46 AM
UGM Exclusive!
E08C007 Console Unlocker Exploit
Exploit Discovery & Coding By: Water aka Anonymous
I completed this project a few months back, and didn’t really have much intention of making it public as I don’t usually like to do that with my work. But due to a mixture of being busy, lazy and some fuckwit who thinks he can copy my work and take credit for it, here we go…
A lot of people have kept on asking about this, and when it will be released etc. Well finally, here it is: the eagerly awaited 2.94.1014 software hack, which is the firmware found on the “250/255 modems” as they are more commonly referred to as. This exploit opens up the console which ultimately allows you to change the bootloader for some flashing fun.
It started off with some cunt at Ambit who thought the 3.1.6d bootloader was a good idea. After being locked out of my hardware, I set upon the challenge of getting back in without lifting the flash. The only route was a software hack, and thus after some time, patience and a lot of enthusiasm, this exploit application was born.
The exploit is thanks to a vulnerability in the httpd which causes it to crash when you feed it quirky authentication packets. This then kick starts the console, and after applying some voodoo to deter the watchdog, you are left with a stable console connection to your hardware. From here on, you could read/write/erase flash regions (such as the bootloader) using SoftJtag etc.
Shoutz to ImH and everyone who has worked hard to keep the scene going. Also thanks to my testers: MONKey, Mark370, Digi and anyone else I’m forgetting.
Water aka Anonymous aka whatever else you know me by ;)
USAGE:
1. Apply serial and Ethernet connection between your PC and the modem
2. Set your PC IP parameters to:
IP: 192.168.100.10
Subnet: 255.255.255.0
Gateway: 192.168.100.1
3. Power on the modem and wait for it to startup (10 secs)
4. Open the exploit application and hit “Execute Exploit”
5. If it says its successful, then the console is now ready to accept connections!
If it fails, power cycle the modem and try the application again.
At this point, if you want to restore your bootloader to the original 2.1.6d that has the re-flashing menu etc, you need a copy of SoftJTAG and the 2.1.6d bootloader.
** BE CAREFUL WHEN USING SOFTJTAG - As you can brick your modem if your not careful **
1. Open SoftJTAG, and connect via your serial port.
2. On the right hand side, click on “Write Bootloader” and select the 2.1.6d bootloader file
3. Wait till its done (this takes 10 – 15 minutes). Once it’s done, close SoftJTAG
4. Start HyperTerminal/TeraTerm and connect to your serial port
5. Reset the modem
Upon resetting the modem, you will now be given the option to stop at P as it is now booting with the 2.1.6d bootloader. You MUST press the button and stop then, as if you miss it and let it fully boot, your bootloader will be over-written again with the 3.1.6d, in which case you will have to repeat these steps again and be quicker not to miss it next time.
If you are successful in entering the menu, you can now re-flash or whatever you wish to do with your modem from this menu!
Legal disclaimer: I take no responsibility for the above given information or files and what you decide to do with it. This is purely for information purposes and should not be attempted to be executed in any way, particularly for any illegal purposes. I could tell you thumping a noob over the head with a modem would probably knock them unconscious, but that doesn’t mean you should do it.
Exploit Download: RapidShare: Easy Filehosting (http://rapidshare.com/files/141670436/Console_Unlocker_v1.1b.zip)
SoftJTAG + 2.1.6d Bootloader: RapidShare: Easy Filehosting (http://rapidshare.com/files/141665848/SoftJtag___2.1.6d_Bootloader.zip)
UGM - The flagship modem hacking resource
E08C007 Console Unlocker Exploit
Exploit Discovery & Coding By: Water aka Anonymous
I completed this project a few months back, and didn’t really have much intention of making it public as I don’t usually like to do that with my work. But due to a mixture of being busy, lazy and some fuckwit who thinks he can copy my work and take credit for it, here we go…
A lot of people have kept on asking about this, and when it will be released etc. Well finally, here it is: the eagerly awaited 2.94.1014 software hack, which is the firmware found on the “250/255 modems” as they are more commonly referred to as. This exploit opens up the console which ultimately allows you to change the bootloader for some flashing fun.
It started off with some cunt at Ambit who thought the 3.1.6d bootloader was a good idea. After being locked out of my hardware, I set upon the challenge of getting back in without lifting the flash. The only route was a software hack, and thus after some time, patience and a lot of enthusiasm, this exploit application was born.
The exploit is thanks to a vulnerability in the httpd which causes it to crash when you feed it quirky authentication packets. This then kick starts the console, and after applying some voodoo to deter the watchdog, you are left with a stable console connection to your hardware. From here on, you could read/write/erase flash regions (such as the bootloader) using SoftJtag etc.
Shoutz to ImH and everyone who has worked hard to keep the scene going. Also thanks to my testers: MONKey, Mark370, Digi and anyone else I’m forgetting.
Water aka Anonymous aka whatever else you know me by ;)
USAGE:
1. Apply serial and Ethernet connection between your PC and the modem
2. Set your PC IP parameters to:
IP: 192.168.100.10
Subnet: 255.255.255.0
Gateway: 192.168.100.1
3. Power on the modem and wait for it to startup (10 secs)
4. Open the exploit application and hit “Execute Exploit”
5. If it says its successful, then the console is now ready to accept connections!
If it fails, power cycle the modem and try the application again.
At this point, if you want to restore your bootloader to the original 2.1.6d that has the re-flashing menu etc, you need a copy of SoftJTAG and the 2.1.6d bootloader.
** BE CAREFUL WHEN USING SOFTJTAG - As you can brick your modem if your not careful **
1. Open SoftJTAG, and connect via your serial port.
2. On the right hand side, click on “Write Bootloader” and select the 2.1.6d bootloader file
3. Wait till its done (this takes 10 – 15 minutes). Once it’s done, close SoftJTAG
4. Start HyperTerminal/TeraTerm and connect to your serial port
5. Reset the modem
Upon resetting the modem, you will now be given the option to stop at P as it is now booting with the 2.1.6d bootloader. You MUST press the button and stop then, as if you miss it and let it fully boot, your bootloader will be over-written again with the 3.1.6d, in which case you will have to repeat these steps again and be quicker not to miss it next time.
If you are successful in entering the menu, you can now re-flash or whatever you wish to do with your modem from this menu!
Legal disclaimer: I take no responsibility for the above given information or files and what you decide to do with it. This is purely for information purposes and should not be attempted to be executed in any way, particularly for any illegal purposes. I could tell you thumping a noob over the head with a modem would probably knock them unconscious, but that doesn’t mean you should do it.
Exploit Download: RapidShare: Easy Filehosting (http://rapidshare.com/files/141670436/Console_Unlocker_v1.1b.zip)
SoftJTAG + 2.1.6d Bootloader: RapidShare: Easy Filehosting (http://rapidshare.com/files/141665848/SoftJtag___2.1.6d_Bootloader.zip)
UGM - The flagship modem hacking resource