finally I've got a unit the cable provider does not want back, so it is time to open it up and check for the two UART interfaces.. One UART interface provides bootloader access, the other one linux /dev/ttyS0. There is one SPI flash of 1megabyte, one parallel nand flash chip and one DDR ram chip.

<insert pic here>

the linux login does not work (admin/admin), as the session terminates immediately after login.

It is not possible to dump the flash content by the bootloader as the memory dump function only handles addresses 0x80000000 and up. Fortunately the boot images seem to get loaded into this address space during bootup which may make the system cold-boot-attackable. E.g. power up the device, reset it and then dump the RAM contents. As this takes ages to dump megabytes of data over uart, here is just the stirngs command on the first few dumped kilobytes after 0x80000000 to prove that it is at least possible to get some useful data out of this:

!@        
 @T@
b4BM
Bldr
2.4.0alpha18p1
Bldr
LVGbootloader
image1
image2
linux
linuxapps
permnv
dhtml
dynnv
linuxkfs
...

(these strings are used by the bootloader for the flash partition overview table printed on startup).

Next steps are to check the available address space (too high addresses crash the unit). If it is possible to address 128megabytes after 0x80000000 the real physical memory is mapped to these addresses.

from linux bootlog:

[ 21.310000] Serial: BCM63XX driver $Revision: 1.4 $