Current verdict: UART shell reachable, but the bootloader & firmware are locked down. No known vulns or open services.
# TL;DR
# UART ✔️ reachable
# Shell ❌ locked
# Next step: chip-off NAND dump| Setting | Value |
|---|---|
| Baud rate | 115200 |
| Data bits | 8 |
| Stop bits | 1 |
| Parity | None |
| Flow control | None |
After exhaustive testing the Vodafone Vox 3.0 (Sercomm SHG3000 / Technicolor THG3000) is not an easy target:
| Finding | Detail |
|---|---|
| Bootloader | Signed & password-protected CFE (Broadcom BTRM). No autoboot interruption or tftp recovery path. |
| Web UI | Latest ISP firmware (Homeware for THG3000, Sercomm OEM for SHG3000) has no authenticated RCE disclosed or fuzzed. |
| Network services | Only usable exposed ports are 22 (SSH) and 80/443 (HTTP/S). SSH is key-only, HTTP/S is CSRF-hardened. |
| UART console | Accessible (115200 8N1, 3.3 V), but drops to a restricted BusyBox shell with non-privileged user (admin). No su, no sudo, no writable /etc. |
| NAND dump | Possible via chip-off / SOIC-8 clip. Requires hot-air or precision rework. ECC is BCH-8 (Technicolor) / BCH-4 (Sercomm). |
-
Hardware path (next)
- SOIC-8 clip + XGecu T56 or similar → raw NAND dump.
- Binwalk /
ubireader_extract_images→ squashfs / jffs2 extraction. - Search for hard-coded creds, backdoor accounts, or firmware signing keys.
-
Software path (on hold)
- Keep monitoring ISP firmware releases for new vulns.
- If a signed firmware update ever leaks, diff & hunt for downgrade attacks.
| Item | Purpose |
|---|---|
| SOIC-8 test clip (W25Qxx compatible) | In-circuit NAND read |
| XGecu T56, RT809H, or Bus Pirate | NAND programmer |
| Hot-air station (optional) | Chip-off if clip fails |
Linux w/ nanddump, binwalk, ubireader |
Analysis |
At 18 seconds, the magic happens as I had to manually reconnect the wires again.
MobaXterm_Personal_23.6_CPQQKd2rvL.mp4
Document all attempts—successful or not—to gain root on the Vodafone Vox 3.0 for educational / research use.
Reminder: Only experiment on hardware you own. Tampering may violate ISP ToS and void warranties.
- OpenWRT ToH – Vodafone Power Station (still the best public reference)
- My Blog – live notes when NAND dump starts + Just random Stuff.
- Main Site – other tooling & write-ups.