update: I re-uploaded the firmware dumps that Yume uploaded on one-drive that are now dead: you can find them here
Great news for EVW3226 owners ! A friend of mine, owning some cool electronic stuffs, helped me to discover serial ports on the mainboard. And he didn’t found one but … two serial ports ! And one of them gives root access without credentials ! Isn’t that cool ?
Here’s a picture of the motherboard with the location of the serial ports
Here’s the pinout
(The routers comes without pins, you will have to solder them on the mainboard.)
Serial port settings are: 115’200/8/N/1
The port labeled “PUMA” gives full root access to the router without credentials, it also prints the kernel boot and different debug messages. The other one called AR9342, gives access to a password protected console and prints different info than the 1st port.
I attached the output from both ports when the device was booting (without the coaxial cable plugged).
I hadn’t much time to play with the OS being root but so far I can say that the provisioning mechanism seems to do a ton of things when the router is authenticated to the CMTS.
Last but not least… tcpdump is available on the router !!!
Next step is to see how things are linked / started and how the provisioning really works.