Console Hack to Unbrick Ambit 250s 255s no tsop lift

[Joker]

Water is the guy who made it creds to him
LOONEY2008
General Discussion

Moderator
Location: teeside
Thanks: 45
Thanked 19 Times in 14 Posts
Rep Power: 9



Ambit 250/255 Restore Option P

E08C007 Console Unlocker Exploit

Well the eagerly awaited Console Unlocker is here. Thanks to Water for all the effort and hard work.

Quote:
Originally Posted by Water
I completed this project a few months back, and didn’t really have much intention
of making it public as I don’t usually like to do that with my work.
But due to a mixture of being busy,
lazy and some **** wit who thinks he can copy my work and take credit for it, here we go…
A lot of people have kept on asking about this, and when it will be released etc. Well finally, here it is: the eagerly awaited 2.94.1014 software hack,
which is the firmware found on the “250/255 modems” as they are more commonly referred to as. This exploit opens up the console which ultimately
allows you to change the bootloader for some flashing fun.
It started off with some **** at Ambit who thought the 3.1.6d bootloader was a good idea.
After being locked out of my hardware, I set upon the
challenge of getting back in without lifting the flash.
The only route was a software hack, and thus after some time, patience and a lot of enthusiasm,
this exploit application was born.
The exploit is thanks to a vulnerability in the httpd which causes it to crash when you feed it quirky authentication packets. This then kick starts the
console, and after applying some voodoo to deter the watchdog, you are left with a stable console connection to your hardware. From here on, you
could read/write/erase flash regions (such as the bootloader) using SoftJtag etc.
Shoutz to everyone who has worked hard to keep the scene going.
Also thanks to my

USAGE:
1. Apply serial and Ethernet connection between your PC and the modem
2. Set your PC IP parameters to:
IP: 192.168.100.10
Subnet: 255.255.255.0
Gateway: 192.168.100.1
3. Power on the modem and wait for it to startup (10 secs)
4. Open the exploit application and hit “Execute Exploit”
5. If it says its successful, then the console is now ready to accept connections!
If it fails, power cycle the modem and try the application again.
At this point,
if you want to restore your bootloader to the original 2.1.6d that has the re-flashing menu etc, you need a copy of SoftJTAG and the
2.1.6d bootloader.
**BE CAREFUL WHEN USING SOFTJTAG -
As you can brick your modem if your not careful**
1. Open SoftJTAG, and connect via your serial port.
2. On the right hand side, click on “Write Bootloader” and select the 2.1.6d bootloader file
3. Wait till its done (this takes 10 – 15 minutes). Once it’s done, close SoftJTAG
4. Start HyperTerminal/TeraTerm and connect to your serial port
5. Reset the modem
Upon resetting the modem, you will now be given the option to stop at P as it is now booting with the 2.1.6d bootloader. You MUST press the button
and stop then, as if you miss it and let it fully boot, your bootloader will be over-written again with the 3.1.6d, in which case you will have to repeat
these steps again and be quicker not to miss it next time.
If you are successful in entering the menu,
you can now re-flash or whatever you wish to do with your modem from this menu!
Legal disclaimer: I take no responsibility for the above given information or files and what you decide to do with it. This is purely for information purposes and should not be attempted to be executed in any way,
particularly for any illegal purposes. I could tell you thumping a noob over the head with a modem would probably knock them unconscious, but that doesn’t mean you should do it.

You'll need all the following files on your PC. If you use the Ambit Tool or similar apps you've probably already installed .NET Framework & Visual J.



Console Unlocker

HTML Code:

http://***************/files/141843898/Console_Unlocker_v1.1b_Revolution_Forums_Edition.rar.html

2.1.6d Bootloader

HTML Code:

http://***************/files/142073844/2.1.6d_Bootloader.zip.html

Soft JTAG All Versions

HTML Code:

http://***************/files/142025730/Soft_Jtag_all_versions.rar.html

Microsoft .NET Framework Version 2.0 Redistributable Package (x86)

HTML Code:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=0856eacb-4362-4b0d-8edd-aab15c5e04f5&displayLang=en

Microsoft Visual J#® 2.0 Redistributable Package – Second Edition (x86)

HTML Code:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=e9d87f37-2adc-4c32-95b3-b5e3a21bab2c&displayLang=en

WINCOMM32.ocx & MSWINSCK.ocx

HTML Code:

http://***************/files/142015319/OCX_files.rar.html

[lincsat]

The files are available from the Private FTA download links, they are untested so use at your own risk.

[50pounds]

i did evrything wrote down here

now my modem has only the power light on lol

OMG this just gets really annoying the soft jag proggy timed out in the middle of flashing no way to bring this back to life??

[abaaba]

the link doesnt seem to work, what am i supposed to change the ****** with?

[toolzkit]

I think you have to be a member of the forum which these links came from.... RF

[50pounds]

Quote:

Originally Posted by toolzkit

I think you have to be a member of the forum which these links came from.... RF

well im logged in and still no luck! ? lol shame i got em from else where and now my modem has only got the power light showing!

[anthrax]

m8, thanx so much for that, once i worked out what links were what and also helped along the way with file and that, my god it worked 1st time, i was abit dubious it first, but i thought why not , as everything else i have follwed off this site has worked be it jtag/max cable building---doing tv //modems--its worked , so thanx all, i cant beleive this----and i was gonna buy a willem---daft me!! glad i didnt¬¬¬¬ though could be usefull for future projects like wii chipping etc....

silly me though got a bit previous a month or so ago--and removed chips of 3 modems, ready for when i got a willem---ill go and buy a gas blower thingy--ant put em back now ---my other got lost-broken buy misses somewhere!!!

anyway thanx again i still cant belive it!!

[big guns 08]

will this work on a epc2100 modem ..it has never been flashed or anythin just an old 1 frokm when i had the net

[big guns 08]

?,,,,,

[G77]

i've not come across a 2100 without option p!