Clone CM-MAC between Fritzbox Cable (6490/6590)

https://web.archive.org/web/20190103183930/https://www.ip-forum.eu/howto-aendern-des-branding-und-installieren-der-retail-firmware-bei-fritz-box-cable-160

https://www.ip-phone-forum.de/threads/fritzbox-6490-mac-%C3%84ndern-ich-will-es-wirklich.300128/post-2320218

https://www.ip-phone-forum.de/threads/fritzbox-cable-cm-mac-adresse-%C3%A4ndern.307240/

https://github.com/PeterPawn/YourFritz/tree/main/tools

https://boxmatrix.info/wiki/Property:docsis.nvram

https://wiki.zebradem.com/wiki/index.php?title=EJTAG
https://wiki.zebradem.com/wiki/index.php?title=Fritzbox_Tipps_%26_Tricks

 

https://asn1.io/asn1playground/

 

 

  1. Start up your Fritz Box to adam2/bootloader:
    - Computer IP fixed to 192.168.178.2 (or higher)
    - LAN cables connected of both devices connected to network (you might experience timing issues on direct connection or media sensing)
    - Within the first few (5?) after power on, access the box via "ftp 192.168.0.1". Make sure your client supports passive mode.
  2. Download some files. On my client, I have to press CTRL+C to stop the transmission mode.
    - quote MEDIA SDRAM # This changes to the right storage location
    - get env /tmp/env # 2103 bytes received
    - get count /tmp/count # 150 bytes received
    - get CONFIG /tmp/config.bin # 58368 bytes received
  3. Disconnect and extract the certificates:
    #Verify location by xxd -g1  config.bin | grep "1f 8b"
    dd if=config.bin bs=1 skip=$(( 0x402 )) count=$(( 0x849 )) | tar tvz
  4. Verify certificates:
    openssl rsa -in cm_key_prv.bin -text -noout  -inform DER
    openssl rsa -in cm_key_prv.bin -inform DER -out cm_key_prv.pem

    openssl asn1parse -in cm_cert.cer --inform DER # partially works
 
 
Die Zertifikatdatein sollten final im NVRAM unter /nvram/1/security (ARM) liegen.

# ls -l /nvram/1/security/
lrwxrwxrwx 1 root root 38 Sep 5 2016 cm_cert.cer -> /nvram/1/security/download/cm_cert.cer
lrwxrwxrwx 1 root root 41 Sep 5 2016 cm_key_prv.bin -> /nvram/1/security/download/cm_key_prv.bin
drwxr-xr-x 2 root root 0 Sep 5 2016 download
lrwxrwxrwx 1 root root 39 Sep 5 2016 mfg_cert.cer -> /nvram/1/security/download/mfg_cert.cer
lrwxrwxrwx 1 root root 42 Sep 5 2016 mfg_key_pub.bin -> /nvram/1/security/download/mfg_key_pub.bin
lrwxrwxrwx 1 root root 42 Jan 1 1970 root_pub_key.bin -> /etc/docsis/security/euro_root_pub_key.bin
 
 

und die MAC-Adresse der alten FB per SETENV eintragen.

 
 
/nvram auf dem ARM ist ein flash filesystem auf einem EPROM, also Daten einfach reinkopieren und sie sind persistent.
Einloggen auf dem arm kannst Du dich mit "armconsole". Das rpc Kommando geht dann in die andere Richtung (arm->atom).

Etwa so (aus dem kopf, bitte kein copy/paste)

armconsole
mkdir -p /nvram/1/security/download
rpc cat /tmp/cm_key_prv.bin > /nvram/1/security/download/cm_key_prv.bin
...
cd /nvram/1/security
ln -s download/* .

Mit der Aenderung der MAC adresse sollte es dann passen.

Edit: Die alten vorher sichern und aus /nvram/1/security loeschen!