Motorola NVG510

Use
Sold by AT&T for use with UVerse, in areas where UVerse TV is not available. This device supports internet and VoIP use, but not TV.

Specs

 * ADSL2+ modem/wap/router
 * Uses BCM6362 SoC - CFE describes it as BCM6362, and the output also mentions DECT. (some chips described as 6362 are actually BCM6361's; that is unlikely in this case because the 6361 lacks DECT)
 * CPU is capable of 400MHz but is clocked at 210MHz
 * 16M flash, 64M RAM
 * Linux 2.6.30.10

Links of Interest
Broadcom BCM63xx on the OpenWRT wiki

Broadcom SOCs on the Linux-MIPS wiki

The BCM6362 may also used in the Linksys X3000, the Boblite (nay, BCM6361), and the SKY FAST2504n.

The French Neufbox_6 uses the very similar BCM6361.

[Additional images]

Serial Pinouts

 * J10 is a 3.3V serial port - 57600 8N1


 * J11 is a 14-pin unpopulated connector that probably includes JTAG. Based upon /www/residential/cgi-bin/usb_disk.ha, this probably also contains USB signals.

Pictures
User Images These two images are sized and aligned for use with [dePCB] ([latest source]), a board reversing tool. The bottom image needs to be flipped, but is not. 

Code
Motorola Arris GPL archive

Enabling Telnet
There is a remote vulnerability that allows telnet to be enabled. Once that is enabled, it is trivial to access the root shell by just two commands at the telnet prompt.

Grabbing Files
NOTE: /media is a ramdisk, and the system has limited memory! Do not grab files in /dev unless you know exactly what they are - some are infinite in length!

Get busybox cd /media wget http://busybox.net/downloads/binaries/1.19.0/busybox-mips chmod +x busybox-mips Set up symlinks ln -s busybox-mips tar ln -s busybox-mips nc   ln -s busybox-mips lsusb ln -s busybox-mips lspci ln -s busybox-mips lsmod ln -s busybox-mips uname ln -s busybox-mips dmesg ln -s busybox-mips less Grab an mtd image
 * on nvg510:   cat /dev/mtdblock0|./nc -l -p 555
 * Then, on the pc:   nc 192.168.1.254 555 >mtdblock0

Grab the filesystem, except for /dev and /proc
 * on nvg510:   ./tar cf - /bin /boot /etc /lib /sbin /tftpboot /tmp /usr /var /www |./nc -l -p 555
 * Then, on the pc:   nc 192.168.1.254 555 >root.tar

Alternatively, there is also a tftp client on the modem. This can be used to transfer files on and off of the modem, if you setup a tftp server on your local network.

MTD Layout
/* * MTD Partitioning scheme for Motopia systems: * * +-+ * | Boot               | * +-+---+ * | Image  | Kernel    | * |        +---+ * |         | Rootfs    | * +-+---+ * | Motopia            | <- motopia_mtd * +-+ */

 131072 mtdblock0 953344 mtdblock1 8409088 mtdblock2 16384000 mtdblock3 262144 mtdblock4 26139648 total
 * 1) cd /dev
 * 2) wc -c mtdblock*

PCI and USB bus
./lsusb -vv Bus 001 Device 001: ID 1d6b:0002   Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0001   Linux Foundation 1.1 root hub

./lspci -vv 00:00.0 Class 0280: 14e4:435f   this class code is for "network device: other" 00:09.0 Class 0c03: 14e4:6300 00:0a.0 Class 0c03: 14e4:6300