Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/1birdo/vox3.0_uart

Getting a UART Shell on a VodaFone VOX 3.0, With Shell access.
https://github.com/1birdo/vox3.0_uart

broadcom cli firmware firmware-extraction isp modem openwrt openwrt-installation pcb-layout pcb-systems physical pins router soildering thg3000 tx-rx uart uart-protocol vox30

Last synced: 1 day ago
JSON representation

Getting a UART Shell on a VodaFone VOX 3.0, With Shell access.

Awesome Lists containing this project

README 

          


  
🛠️ Vox 3.0 UART Shell – Status Update


  Vox 3.0 Router  
(Universal Asynchronous Receiver-Transmitter)


  
Current verdict: UART shell reachable, but the bootloader & firmware are locked down. No known vulns or open services.





---



```bash

# TL;DR

# UART ✔️ reachable

# Shell ❌ locked

# Next step: chip-off NAND dump

```



🖥️ Connection Settings


  

  | Setting       | Value    |

  |---------------|----------|

  | **Baud rate** | 115200   |

  | **Data bits** | 8        |

  | **Stop bits** | 1        |

  | **Parity**    | None     |

  | **Flow control** | None 



## 🚨 2025-07-14 – Reality Check



After exhaustive testing the Vodafone Vox 3.0 (Sercomm SHG3000 / Technicolor THG3000) is **not** an easy target:



| Finding | Detail |

|---|---|

| **Bootloader** | Signed & password-protected CFE (Broadcom BTRM). No `autoboot` interruption or `tftp` recovery path. |

| **Web UI** | Latest ISP firmware (Homeware for THG3000, Sercomm OEM for SHG3000) has **no authenticated RCE** disclosed or fuzzed. |

| **Network services** | Only usable exposed ports are 22 (SSH) and 80/443 (HTTP/S). SSH is key-only, HTTP/S is CSRF-hardened. |

| **UART console** | Accessible (115200 8N1, 3.3 V), but drops to a **restricted BusyBox shell** with non-privileged user (`admin`). No `su`, no `sudo`, no writable `/etc`. |

| **NAND dump** | Possible via **chip-off / SOIC-8 clip**. Requires hot-air or precision rework. ECC is BCH-8 (Technicolor) / BCH-4 (Sercomm). |



---



## 🎯 Revised Roadmap



1. **Hardware path (next)**  

   - SOIC-8 clip + XGecu T56 or similar → raw NAND dump.  

   - Binwalk / `ubireader_extract_images` → squashfs / jffs2 extraction.  

   - Search for hard-coded creds, backdoor accounts, or firmware signing keys.



2. **Software path (on hold)**  

   - Keep monitoring ISP firmware releases for new vulns.  

   - If a signed firmware update ever leaks, diff & hunt for downgrade attacks.



---



## 🧰 What You’ll Need Now



| Item | Purpose |

|---|---|

| SOIC-8 test clip (W25Qxx compatible) | In-circuit NAND read |

| XGecu T56, RT809H, or Bus Pirate | NAND programmer |

| Hot-air station (optional) | Chip-off if clip fails |

| Linux w/ `nanddump`, `binwalk`, `ubireader` | Analysis |



---



## đź“ş Updated Media

  
UART Access Example:


  
At 18 seconds, the magic happens as I had to manually reconnect the wires again.



  [![Watch the video](https://github.com/user-attachments/assets/e0d56086-0873-4aca-a1d1-1ef9fd41966b)](https://github.com/user-attachments/assets/cb16c278-8b7d-44cb-b9e5-09e71b830c30)



  

  
Router + Setup Closeups:


  


    

    

    

    

  



---



## đź“– Repository Purpose (unchanged)



Document **all** attempts—successful or not—to gain root on the Vodafone Vox 3.0 for educational / research use.



> **Reminder:** Only experiment on hardware you own. Tampering may violate ISP ToS and void warranties.



---



## đź”— Quick Links



- [OpenWRT ToH – Vodafone Power Station](https://openwrt.org/toh/vodafone/vodafone_power_station) (still the best public reference)  

- [My Blog](https://blog.birdo.uk) – live notes when NAND dump starts + Just random Stuff. 

- [Main Site](https://birdo.uk) – other tooling & write-ups.



---