I have not seen any teardowns or any information of whats inside of the Virgin Media Super Hub 3 so I thought I would do it my self with one I bought from ebay for £10. As Dave at the EEVBLOG would say "don't turn it on, take it apart!".
The Super Hub 3 DOCSIS 3.0 modem/router/Ethernet switch is an Arris TG2492 and will named as such throughout.
Some basic information:
- 2.4 GHz radio and 5 GHz radio for wireless 802.11a/b/g/n/ac connectivity
- Four Ethernet ports
- Up to two lines of telephone service
- DOCSIS 3.0 and Euro-DOCSIS 3.0 compliant
The main goal of the teardown is to extract the firmware, if you want to cut to the chase you can download it hear
First of all here are some pretty pictures of the Arris TG2492.
To disassemble you first have to shim the front panel off with a thin piece of plastic or just use a flat head screw driver if you don't care about damaging it.
Remove the Torx screw which is now visible from behind the front pannel.
Flip the TG2492 around to the rear and remove the sticker which surrounds the all the ports. You will need a very sharp thin knife to do so.
Once the sticker is removed then proceed to remove the 2 Trox screws which are now visbale.
Now place the TG2492 flat so that the plastic mesh side closest to the screws is pointing upwards. Place a flat head screw driver between the case and the plastic mesh in the bottom left corner and gently pry the mesh upwards. Once the mesh is raised enough to get you fingers underneath proceed to pull the rest up by hand.
Now we have a rear view of the PCB. To remove the PCB , remove the 2 Torx circled in red at the top of the picture then push back the 2 white clips also circled in red at the bottom of the picture.
|1.||Toshiba TC58NVG0S3HTA10||128MB NAND FLASH|
|2A.||QCA9880-3R4A||Qualcomm 802.11ac wireless chipset|
|3.||Unkown||5ghz antena and exteranl Micro-Miniature RF Connector|
|1A.||Atheros AR9382-AL1A||2.4/5 GHZ, 2-STREAM 802.11A/B/G/N|
|1B.||SiGe 2620T||2.4 GHz Wireless LAN/BT Front End|
|2.||Phison PS8211-0||Nand Controller eMMC 4.5|
|3.||54328||Power management chip|
|6.||SK Hynix H5TQ2G63FFR-PBC||128MX16 DDR DRAM, PBGA96 (2048gb Ram. 4096 total)|
|7.||54328||Power management chip|
|8.||54328||Power management chip|
|9.||NBGA 650A 049||Unknown|
|10||RT8294A||2A, 23V, 340kHz Synchronous Step-Down Converter|
|11.||UART||VCC(Square pad), TX, RX, GND. 115200 8-N-1|
|12.||54226||4.5V to 18V Input 2-A Synchronous Step-Down SWIFTTM Converter|
|13A.||MXL267D||Full-Spectrum Capture (FSCTM) digital cable front-end receiver for EuroDOCSIS 3.0|
|14.||54226||4.5V to 18V Input 2-A Synchronous Step-Down SWIFTTM Converter|
|15.||Broadcom BCM53124SKMMLG||Ethernet ICs GIGABIT SWITCH|
|16.||UART||VCC(Square pad), TX, RX, GND. 115200 8-N-1|
|17.||61089B||Bourns DUAL FORWARD-CONDUCTING P-GATE THYRISTORS|
|19.||Unknown||2.5ghz antenna and external Micro-Miniature RF Connector|
|20.||Unknown||Intel Puma 6 SoC DHCE2652 (MD553005A02245, 11L602F576SR278, G29275 01 EQE)|
|21.||JTAG||10 pads covered (unknown if active). Supported by Intel System Studio with ITP-XDP3|
Phison PS8211-0 Pinout (maybe the same pinout for PS7000-0, PS8035, PS8130, PS8131, PS8210)
Thanks to Dan the man for correcting the emmc pinout. Dan has great blog about the Arris router firmware which can be found here https://blog.danman.eu/about-adding-a-static-route-to-my-docsis-modem/
The Phison firmware and config for the PS8211-0 and PS7000-0 can be found on partition 5 at /etc/mmc of router firmware.
UART Intel Puma 6 DUMP 1 of 3
According to Dan the UART output no longer shows very much at all, this dump is from 2016. This page has been visted many times by an IP address owned by Arris which would explain a few things.
UART Intel Puma 6 DUMP 2 of 3
UART Intel Puma 6 DUMP 1 of 3
UART ARRIS Dump 1 of 2
UART ARRIS Dump 2 of 2
Extracting the Firmware
To extract the firmware you will nee the following
- Soldering iron with a smallish tip, fine solder (0.35 is good), flux maybe not as much as I used, and a steady hand.
- Microscope or a good magnifying glass.
- craft knife
- Magnet wire
- Transcend TS-RDF5 SD card reader !IMPORTANT
- SD card breakout such as this or this which I used.
- Optionaly but recomended header pins and jumper wires.
- A Linux operating system. Kali would be a good choice.
The board I used was of a 2015-2016 vintage so newer boards may have a different layout but the principle is the same. You need to connect VCC, GND, CMD, CLK and DAT0 to your SD breakout. Below is a picture of where you need to solder your magnet wire to. For DATO you will need to carefully scrape away some of the solder mask and solder a wire directly to the copper trace.
Once your soldering is done connect all the cables to your SD breakout and insert into the SD card reader (must support 1 bit mode). Make sure your router is turned off and connect the SD card reader to your computer You should now see many paritions mounted in your operating system.
Run this command in your terminal to show a list drives and get the name of the one we are interested in, you will be looking for a drive with a size of roughly 128mb and it will contain many partitions. My drive was labeled sdf so when when ever you see this written change it to your own.
Now run this command to get deatiled information about the device.
The output of my device was as follows.
Next you will want to backup the entire drive by using the following command. The file can be found in the home directory once completed.
Most of the partitions use Squashfs file system, so run the commands below to extract the files from the partition your interested in for editing. Swap the number for the one you want i.e sdf8, sdf7.
Once you have finsihed editing run the following comands to put image back on your router.
Here are some interesting locations
There are 2 U-Boot partitions both are identical. The partition contains multiple images, to extract do the following. You can omit binwalk and fdsik if using the attached image but if you are using your own router you will have to use them.
Python API + CLI for the Virgin Super Hub 3 https://github.com/KarlJorgensen/virgin-media-hub3
Dan the Man's Arris Firmware, Static route and Cert decrypt https://blog.danman.eu/about-adding-a-static-route-to-my-docsis-modem/