Extracting Firmware from the Virgin Super Hub 2ac

The MDSec hardware security team were recently researching the Virgin Super Hub 2ac; the latest of Virgin’s Super Hub models which supports the 5Ghz band of wireless. This blog post talks through the steps we undertook to recover the firmware from this device.

One of the first steps during a hardware review is to inspect the board. Opening the device, we quickly identified a couple of jumper groups that appeared to be a UART interface. Each group is formed of 4 missing pins in a straight line, as shown below:

After soldering new pins in each port, we began fuzzing the interface to identify the function of each pin. In this instance we used the Jtagulator, however we’ve previously documented how an Arduino may be used.

Once the correct PIN configuration was identified we were able to interface with the UART port, as shown below:

Enter TXD pin [1]:
Enter RXD pin [2]:
Enter baud rate [14400]: 115200
Enable local echo? [y/N]:
Entering UART passthrough! Press Ctrl-X to abort…
U-Boot 1.2.0 (Dec 11 2013 – 12:24:11)
DRAM:  128 MB
Macronix MX25L1606E flash found
Flash: 16 MB
In:    serial
Out:   serial
Err:   serial
Start download image from Scorpion…
our IP address is
Load address: 0x87000000
GigE switch was found….
GigE switch was initialized….
T T T……………………………….done
(size= 8373248)
AthpCheckChecksum: MATCH!! checksum= A43E1841
## Executing script at 87000000
============== Running script =========
*** Running from RAM partition @0x87000000
Load address = 0x87002260 (0x2260)
Kernel address = 0x870022ac (0x22ac)
kernel size = 0x106554
FS address = 0x87108800 (0x108800)
FS size = 0x6f3c00
NVRAM offset = 0x100000
NVRAM size = 0x100000
## Booting image at 87002260 …
Image Name:   Multi Image File
Image Type:   ARM Linux Multi-File Image (uncompressed)
Data Size:    8364384 Bytes =  8 MB
Load Address: 80a00000
Entry Point:  80a00000
Image 0:  1074516 Bytes =  1 MB
Image 1:  7289856 Bytes =  7 MB
Verifying Checksum … OK
Starting kernel …
Starting LZMA Uncompression Algorithm.
Compressed file is LZMA format.[/code]

Unfortunately, in this instance we discovered that the port was read only so we continued to review the device’s other storage components, specifically those highlighted below where we observed two SPI and one NAND chip:

To read from the SPI interface we used the Shikra and an 8 pin SOIC clip. To power the chip, we used a Teensy converted to run at 3.3 volts, as shown on the image below:

We then subsequently used Flashrom which supports a generic ft232 reader and is not only reliable and but fast, to read from the SPI as shown below:

To interface with the NAND flash, we used a 360 clip to interface with the chip without having to desolder it. This is a very elegant solution especially when you need to write to the flash. To read from the device a FT2232 developer board was used in combination with the Teensy as 3.3V power supply, as shown below. For more information about this please refer to the original resource.

To read from the NAND flash, you can use the ftdinandreader tool as supplied in the in the SpritesMod reference above:

Please stay tuned for our next blog post where an analysis of the recovered binary files will be performed.

This blog post was written by Razvan Sima.



written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2021 MDSec