Skip to main content

Hacking and patching TP-LINK TD-W8901G router

Hacking and patching TP-LINK TD-W8901G router

by piotrbania.com  / twitter: @PiotrBania / 31.01.2014


Motivation
Recently a critical vulnerability has been found in TP-LINK routers and few other router devices. This particular vulnerability to which I am referring was described here. Basically it is so called ROM-0 attack. In short attacker by requesting ROM-0 through HTTP request (ie. http://192.168.1.1/ROM-0) can download all important and secret data stored in your router. This includes your ADSL login/password combination, WIFI password and basically all of your configuration data. Actually I was a bit pissed at TP-LINK for this crap so I have decided to patch the vulnerability by myself.

DISCLAIMER: Author takes no responsibility for any actions with provided informations or codes. Your are doing everything on your own responsibility.

If you are looking for rom-0 password decoder (rom0 decompressor) - here it is: http://piotrbania.com/all/utils/RomDecoder.c

The list of vulnerable devices is presented below:
  • TD-W8901G
  • TD-8816
  • TD-W8951ND
  • TD-W8961ND
  • D-Link DSL-2640R
  • ADSL Modem
  • AirLive WT-2000ARM
  • Pentagram Cerberus P 6331-42
  • ZTE ZXV10 W300


I had one of those devices (TD-W8901G) and I took this as a good fortune sign to start playing with hardware router hacking :-). My task was to patch this vulnerability and make the ROM-0 not downloadable. This was my pretty much first encounter with this type of stuff (and my first encounter with MIPS really). At this point I would like to thank hackerfantastic and robercik for some hardware hints.

Serial connection
Most of the routers (or embedded devices in general) have some sort of communication port designed to aid the manufactures with testing and debugging of the target device. This communication port is usually SERIAL (UART/RS232) or JTAG (EJTAG). In my case I was unable to find the JTAG (EJTAG) port but I have found the serial port instead (presented on images below).




First of all this is some ugly ass soldering work (yes I did that). Ok now getting back to my initial point I have used PL2303 RS232<>USB converter to connect the serial port to the usb port of my computer. Putty is pretty decent for handling normal serial communication so I have used it as my default client (configuration: 115200/8/1/N). I was expecting to see some output in my putty but unfortunately I got nothing. So after some digging around and harassing few friends (ohayo!) I have found out that my voltage levels on RX and TX pins were too low (should be 3.3V). So after some further digging and looking on schematics of this board it became obvious that two resistors are missing (see image above). So I took a piece of wire and I have connected the empty pins together (in two places obviously). So now the voltage levels were correct and I was able to see the output in my terminal.

This is what I have received: 
    

  1. Bootbase Version: VTC1.15 | 2007/11/12 17:18:52
    2. 

  2. RAM: Size = 8192 Kbytes
    3. 

  3. DRAM POST: Testing:  8192K
    4. 

  4. OK
    5. 

  5. FLASH: AMD 16M *1
    6. 

  6.  
    7. 

  7. RAS Version: 1.0.2 Build 080522 Rel.37708
    8. 

  8. System   ID: *2.11.36.0(RE9.C29)3.10.2.60| 2008/04/24
    9. 

  9.  
    10. 

  10. Press any key to enter debug mode within 3 seconds.
    11. 

  11. .....................................
    12. 

  12. Enter Debug Mode
    13.
After some additional digging I have found that you can use 'ATHE' command to list all available commands (this is not really deeply documented anywhere): 
    

  1. ======= Debug Command Listing =======
    2. 

  2. AT          just answer OK
    3. 

  3. ATHE          print help
    4. 

  4. ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k
    5. 

  5. ATENx,(y)     set BootExtension Debug Flag (y=password)
    6. 

  6. ATSE          show the seed of password generator
    7. 

  7. ATTI(h,m,s)   change system time to hour:min:sec or show current time
    8. 

  8. ATDA(y,m,d)   change system date to year/month/day or show current date
    9. 

  9. ATDS          dump RAS stack
    10. 

  10. ATDT          dump Boot Module Common Area
    11. 

  11. ATDUx,y       dump memory contents from address x for length y
    12. 

  12. ATRBx         display the  8-bit value of address x
    13. 

  13. ATRWx         display the 16-bit value of address x
    14. 

  14. ATRLx         display the 32-bit value of address x
    15. 

  15. ATGO(x)       run program at addr x or boot router
    16. 

  16. ATGR          boot router
    17. 

  17. ATGT          run Hardware Test Program
    18. 

  18. ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)
    19. 

  19. ATSH          dump manufacturer related data in ROM
    20. 

  20. ATDOx,y       download from address x for length y to PC via XMODEM
    21. 

  21. ATTD          download router configuration to PC via XMODEM
    22. 

  22. ATUR          upload router firmware to flash ROM
    23. 

  23.  
    24. 

  24. < press any key to continue >
    25. 

  25. ATLC          upload router configuration file to flash ROM
    26. 

  26. ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode
    27. 

  27. ATLD          Upload Configuration File and Default ROM File to Flash
    28. 

  28. ATCD          Convert Running ROM File to Default ROM File into Flash
    29.
So at this point we have a set of commands but still no way to debug this thing. We can't see the registers, we can't set breakpoints, we can't step on instructions so this a bit like walking in a fog. The good point is we can read and dump memory. So piece by piece using ATDO command I have dumped the memory from the device. Please note that this is a rather painful process because every attempt to read unavailable memory will end up with the device turning into zombie mode (no crash dump or even a guru meditation it just freezes). I have noticed that MINICOM is simply the best thing to dump the memory (I have tried using TeraTerm and HyperTerminal but they both were pretty unstable).




But before we will go to the dump analysis itself there is one especially interesting command - ATEN (set BootExtension Debug Flag (y=password)). So as you can see we need the secret password to use it otherwise it will simply return ERROR. But when successfully used it will provide us some awesome hidden commands!


ATEN Password Generator
So like always in those type of situations you start with googling it up. Somewhere in the google results I have found a website called "Running uCLinux on a ZyXEL router". You can find a ATEN password generation algorithm there but unfortunately it didn't work on my device. So we are back to square one and we need to do some disassembly together with static analysis.

The first step in my approach was to locate the function responsible for handling the ATEN command. I have located this piece by searching for a dispatch-command table. Why I knew there will be one? I just assumed I would code it that way (there isn't any other option really except creating a giant if-elseif condition set). Here it is: 
    

  1. ROM:800158A0 CmdTable:       .word unk_80015C20       # DATA XREF: sub_8000E3D8+4C o
    2. 

  2. ROM:800158A0                                          # sub_8000E3D8+90 o ...
    3. 

  3. ROM:800158A4                 .word sub_8000E6D0
    4. 

  4. ROM:800158A8                 .byte    0
    5. 

  5. ROM:800158A9                 .byte    0
    6. 

  6. ROM:800158AA                 .byte    0
    7. 

  7. ROM:800158AB                 .byte    0
    8. 

  8. ROM:800158AC                 .word aJustAnswerOk      # "          just answer OK"
    9. 

  9. ROM:800158B0                 .word aAthe              # "ATHE"
    10. 

  10. ROM:800158B4                 .word CMD_SHOW_HELP_ATHE
    11. 

  11. ROM:800158B8                 .byte    0
    12. 

  12. ROM:800158B9                 .byte    0
    13. 

  13. ROM:800158BA                 .byte    0
    14. 

  14. ROM:800158BB                 .byte    0
    15. 

  15. ROM:800158BC                 .word aPrintHelp         # "          print help"
    16. 

  16. ROM:800158C0                 .word aAtba              # "ATBA"
    17. 

  17. ROM:800158C4                 .word CMD_ATBA
    18. 

  18. ...
    19. 

  19. ROM:800158D0                 .word aAten              # "ATEN"
    20. 

  20. ROM:800158D4                 .word CMD_ATEN
    21. 

  21. ...
    22.

The table itselft is pretty straight forward (remember on MIPS word is 4 bytes). So let's now see the CMD_ATEN function (the most important part): 
    

  1. ROM:8000FF84                 lw      $a0, 8($s0)
    2. 

  2. ROM:8000FF88                 jal     sub_80013654
    3. 

  3. ROM:8000FF8C                 li      $a1, 0
    4. 

  4. ROM:8000FF90                 jal     generate_passwd
    5.
And now generate_passwd function: 
    

  1. ROM:80010A2C generate_passwd:                         # CODE XREF: CMD_ATEN+50 p
    2. 

  2. ROM:80010A2C                 lui     $t9, 0xA11F
    3. 

  3. ROM:80010A30                 lw      $v1, ptrDO_GTABLE
    4. 

  4. ROM:80010A34                 lw      $t8, dword_80017050
    5. 

  5. ROM:80010A38                 lw      $v1, 0x18($v1)  # take the seed part, generated by the ATSE command
    6. 

  6. ROM:80010A3C                 lbu     $t8, 0x6D($t8)  # take the last byte of the MAC Address
    7. 

  7. ROM:80010A40                 sll     $v1, 8   # $v1 = v1 << 8
    8. 

  8. ROM:80010A44                 andi    $t7, $t8, 7  # $t7 = t8 & 0x7
    9. 

  9. ROM:80010A48                 li      $t8, 0   # $t8 = 0
    10. 

  10. ROM:80010A4C                 srl     $v1, 8   # $v1 = v1 >> 8 
    11. 

  11. ROM:80010A50                 li      $t9, 0xA11F5AC6  # $t9 = MAGIC
    12. 

  12. ROM:80010A54                 j       loc_80010A68
    13. 

  13. ROM:80010A58                 addu    $t9, $v1, $t9  # $t9 = $v1 + $t9
    14. 

  14. ROM:80010A5C  # ---------------------------------------------------------------------------
    15. 

  15. ROM:80010A5C
    16. 

  16. ROM:80010A5C loc_80010A5C:                             # CODE XREF: generate_passwd+40 j
    17. 

  17. ROM:80010A5C                 sll     $t9, 31   # $t9 = $t9 << 31
    18. 

  18. ROM:80010A60                 or      $t9, $t6, $t9  # $t9 = $t6 | $t9
    19. 

  19. ROM:80010A64                 addiu   $t8, 1    # $t8 = $t8 + 1
    20. 

  20. ROM:80010A68
    21. 

  21. ROM:80010A68 loc_80010A68:        # CODE XREF: generate_passwd+28 j
    22. 

  22. ROM:80010A68                 sltu    $t6, $t8, $t7  # $t6 = (t8 < t7? 1:0)
    23. 

  23. ROM:80010A6C                 bnez    $t6, loc_80010A5C  # take jump if $t6 != 0
    24. 

  24. ROM:80010A70                 srl     $t6, $t9, 1  # $t6 = $t9 >> 1
    25. 

  25. ROM:80010A74                 jr      $ra   # all done, exit
    26. 

  26. ROM:80010A78                 xor     $v0, $t9, $v1  # $v0 = $t9 ^ $v1
    27.
Some notes from the code:
  • $v1 is the seed value (generated by the ATSE command, zero if ATSE is not used)
  • $t8 initially contains the last byte of MAC Address (last octet)
  • 0xA11F5AC6 is a magic value we were looking for!
  • Those two instructions: "$v1 = v1 << 8" and "$v1 = v1 >> 8" are equal to "seed = seed & 0x00FFFFFF"
  • The loop with (sll-or-srl) is nothing more than a ROR instruction (ROR instruction on MIPS is a pseudoinstruction meaning it is typically emulated by using sll-or-srl sequence)
  • $v0 is the result

So this is how it would look in C: 
    

  1. U32 generate_passwd(U32 seed, U8 last_mac_octet)
    2. 

  2. {
    3. 

  3.       U32 b = seed & 0x00FFFFFF;
    4. 

  4.       U32 r = ROR(b + 0xA11F5AC6, last_mac_octet & 7);
    5. 

  5.       return r^b;
    6. 

  6. }
    7.
And as you can see this is pretty much the algorithm used by ZyXEL the only difference is the MAGIC VALUE (0xA11F5AC6). You can use the script below to generate your own password for ATEN (remember if you will not use the ATSE command your seed will be zero).

ATEN Password Generation Script:
Field Value
Seed:
Last MAC Octet:


In my case the magic command was "ATEN1,508fad63" and this is what "ATHE" produced afterwards: 
    

  1. ======= Debug Command Listing =======                                           
    2. 

  2. AT          just answer OK                                                      
    3. 

  3. ATHE          print help                                                        
    4. 

  4. ATBAx         change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k        
    5. 

  5. ATENx,(y)     set BootExtension Debug Flag (y=password)                         
    6. 

  6. ATSE          show the seed of password generator                               
    7. 

  7. ATTI(h,m,s)   change system time to hour:min:sec or show current time           
    8. 

  8. ATDA(y,m,d)   change system date to year/month/day or show current date         
    9. 

  9. ATDS          dump RAS stack                                                    
    10. 

  10. ATDT          dump Boot Module Common Area                                      
    11. 

  11. ATDUx,y       dump memory contents from address x for length y                  
    12. 

  12. ATWBx,y       write address x with  8-bit value y                               
    13. 

  13. ATWWx,y       write address x with 16-bit value y                               
    14. 

  14. ATWLx,y       write address x with 32-bit value y                               
    15. 

  15. ATRBx         display the  8-bit value of address x                             
    16. 

  16. ATRWx         display the 16-bit value of address x                             
    17. 

  17. ATRLx         display the 32-bit value of address x                             
    18. 

  18. ATGO(x)       run program at addr x or boot router                              
    19. 

  19. ATGR          boot router                                                       
    20. 

  20. ATGT          run Hardware Test Program                                         
    21. 

  21. AT%Tx         Enable Hardware Test Program at boot up                           
    22. 

  22. ATBTx         block0 write enable (1=enable, other=disable)                     
    23. 

  23.                                                               
    24. 

  24.  
    25. 

  25. ATRTw,x,y(,z) RAM test level w, from address x to y (z iterations)              
    26. 

  26. ATWEa(,b,c,d) write MAC addr, Country code, EngDbgFlag, FeatureBit to flash ROM 
    27. 

  27. ATCUx         write Country code to flash ROM                                   
    28. 

  28. ATCB          copy from FLASH ROM to working buffer                             
    29. 

  29. ATCL          clear working buffer                                              
    30. 

  30. ATSB          save working buffer to FLASH ROM                                  
    31. 

  31. ATBU          dump manufacturer related data in working buffer                  
    32. 

  32. ATSH          dump manufacturer related data in ROM                             
    33. 

  33. ATWMx         set low 6 digits MAC address in working buffer                    
    34. 

  34. ATMHx         set hight 6 digits MAC address in working buffer                  
    35. 

  35. ATBS          show the bootbase seed of password generator                      
    36. 

  36. ATLBx         xmodem upload bootbase,x is password                              
    37. 

  37. ATSMx         set 6 digits MAC address in working buffer                        
    38. 

  38. ATCOx         set country code in working buffer                                
    39. 

  39. ATFLx         set EngDebugFlag in working buffer                                
    40. 

  40. ATSTx         set ROMRAS address in working buffer                              
    41. 

  41. ATSYx         set system type in working buffer                                 
    42. 

  42. ATVDx         set vendor name in working buffer                                 
    43. 

  43. ATPNx         set product name in working buffer                                
    44. 

  44. ATFEx,y,...   set feature bits in working buffer                                
    45. 

  45. ATMP          check & dump memMapTab                                            
    46. 

  46. ATDOx,y       download from address x for length y to PC via XMODEM   
    47. 

  47.                                
    48. 

  48. ATTD          download router configuration to PC via XMODEM                    
    49. 

  49. ATUPx,y       upload to RAM address x for length y from PC via XMODEM           
    50. 

  50. ATUR          upload router firmware to flash ROM                               
    51. 

  51. ATDC          hardware version check disable during uploading firmware          
    52. 

  52. ATLC          upload router configuration file to flash ROM                     
    53. 

  53. ATUXx(,y)     xmodem upload from flash block x to y                             
    54. 

  54. ATERx,y       erase flash rom from block x to y                                 
    55. 

  55. ATWFx,y,z     copy data from addr x to flash addr y, length z                   
    56. 

  56. ATXSx         xmodem select: x=0: CRC mode(default); x=1: checksum mode         
    57. 

  57. ATLD          Upload Configuration File and Default ROM File to Flash           
    58. 

  58. ATBR              Reset to default Romfile                                      
    59. 

  59. ATCD          Convert Running ROM File to Default ROM File into Flash      
    60.
Now we have access to few other interesting commands. Remember the objective is to patch the ROM-0 download vulnerability.


Patching the vulnerability (virtually)
In order to patch the vulnerability we need to patch the stage2 firmware (we are still on the stage1 level - minimal boot firmware). You can go to the stage2 firmware by typing ATGR (boot router) command. The bad thing about that is after this step we will have no access to stage 1 commands. So we can't really patch :( 
    

  1. (Compressed)                                                               
    2. 

  2. Version: ADSL ATU-R, start: bfc5d430                                       
    3. 

  3. Length: 390890, Checksum: 08F1                                             
    4. 

  4. Compressed Length: D7150, Checksum: DBE7
    5. 

  5.  
    6. 

  6. Copyright (c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD
    7. 

  7. initialize ch = 0, IP175C, ethernet address: 00:XX:XX:XX:XX:41
    8. 

  8. initialize ch = 1, ethernet address: 00:XX:XX:XX:XX:41
    9. 

  9. Wan Channel init ........ done
    10. 

  10. Initializing ADSL F/W ........ done
    11. 

  11. ANNEXAL
    12. 

  12. set try multimode number to 3 (dropmode try num 3)
    13. 

  13. Syncookie switch On!
    14. 

  14. Press ENTER to continue...
    15. 

  15.  
    16. 

  16. Valid commands are:
    17. 

  17. sys             exit            ether           wan
    18. 

  18. ip              bridge          dot1q           pktqos
    19. 

  19. show            set             lan
    20. 

  20. tc>
    21.
So what happened? The compressed stage 2 firmware got decompressed and executed. Knowing the ATGR command boots up the router let's find the instruction that passes the execution to the stage 2 firmware. This seems to be the best option because the firmware at that point is already unpacked. 
    

  1. ROM:80011E8C loc_80011E8C:      # CODE XREF: LoadAndRunImage+D8 j
    2. 

  2. ROM:80011E8C                 jal     sub_80009B24
    3. 

  3. ROM:80011E90                 li      $a0, 0x1F4
    4. 

  4. ROM:80011E94
    5. 

  5. ROM:80011E94 execute_image:      # execute image
    6. 

  6. ROM:80011E94                 jalr    $s0    # jump and link to address in $s0
    7. 

  7. ROM:80011E98                 nop
    8.
Now the question is what is the address stored in $s0? Obviously we still can't set a breakpoint, we can't view the registers so we need to leak it using some trick. But wait we can read and write memory so take a look on the following command: 
    

  1. ATWL 80011E94, ae30001c
    2. 

  2. ATGR
    3.
This command patches the instruction at 0x80011E94 with ae30001c (the byte representation of MIPS "sw $s0, 0x1C($s1)" instruction). By overwriting the original jalr $s0 with sw $s0, 0x1C($s1) we have forced the program to store the contents of $s0 register to 0x8001FF1C memory address. So now stage 2 firmware will not be executed instead the "ERROR" message will be presented and we will still have the access to the stage1 console! So let's take a look what was stored at 0x8001FF1C. 
    

  1. ATRL 8001FF1C
    2. 

  2. 8001FF1C: 80020000
    3.
So now when we have leaked stage 2 address (0x80020000) we can dump it and analyse it properly).

So keeping in mind that we want to block ROM-0 from being downloadable I have found (using trail and error and xrefs) following code fragment that was a great candidate for patching: 


    

  1. ROM:80248C98                 la      $a1, aRom0_8     # "/rom-0"
    2. 

  2. ROM:80248CA0                 jal     sub_802D0F2C
    3. 

  3. ROM:80248CA4                 move    $a0, $s2
    4. 

  4. ROM:80248CA8                 beqz    $v0, loc_80248CB8    # NOP THIS SIR
    5. 

  5. ROM:80248CAC                 li      $v1, 0xE
    6. 

  6. ROM:80248CB0                 j       loc_exit
    7. 

  7. ROM:80248CB4                 sw      $v1, 0x64($s3)
    8. 

  8.  
    9. 

  9.  
    10. 

  10. ROM:80248DEC loc_exit:                            # CODE XREF: sub_80248AA8+208 j
    11. 

  11. ROM:80248DEC                                          # sub_80248AA8+21C j ...
    12. 

  12. ROM:80248DEC                 lw      $ra, 0x28+var_4($sp)
    13. 

  13. ROM:80248DF0                 lw      $s0, 0x28+var_28($sp)
    14. 

  14. ROM:80248DF4                 lw      $s1, 0x28+var_24($sp)
    15. 

  15. ROM:80248DF8                 lw      $s2, 0x28+var_20($sp)
    16. 

  16. ROM:80248DFC                 lw      $s3, 0x28+var_1C($sp)
    17. 

  17. ROM:80248E00                 lw      $s4, 0x28+var_18($sp)
    18. 

  18. ROM:80248E04                 lw      $s5, 0x28+var_14($sp)
    19. 

  19. ROM:80248E08                 lw      $s6, 0x28+var_10($sp)
    20. 

  20. ROM:80248E0C                 lw      $fp, 0x28+var_8($sp)
    21. 

  21. ROM:80248E10                 nop
    22. 

  22. ROM:80248E14                 jr      $ra
    23. 

  23. ROM:80248E18                 addiu   $sp, 0x28
    24.
So the beqz $v0, loc_80248CB8 instruction jumps to loc_80248CB8 and we simply don't want that. So instead when the condition is not met this procedure jumps to loc_exit which is basically saying "goodbye". So let's patch the beqz with NOP: 

    

  1. ATEN 1,508fad63
    2. 

  2. ATWL 80011E94, 00000000
    3. 

  3. ATGR
    4. 

  4. ATWL 80248CA8, 00000000
    5. 

  5. ATGO 80020000
    6.

So now when the stage 2 firmware is patched in memory and booted it is time to test it (for the record: 192.168.2.1 - is my router addr)!




SUCCESS!


Conclusion
This simple patch was done in virtual memory only meaning everything will come back to the state it was before applying it after your router reboots. This is convenient from one side and inconvenient from the other. It is certainly possible to flash the device with modified firmware but I will not provide such methods here. One way or another I hope you have enjoyed the journey as I did. There are probably a plenty more vulnerabilities like this one somewhere inside every router so sometimes such ghetto hacks may become necessary :-) (let's hope not!). Obviously this was just one simply patch and it wasn't heavily tested in action. Please use this method as a way of learning something NOT as an actual remedy (probably there are plenty of other bugs that need to be patched as well). - PIOTR 31.01.2014 / EOF.


Bonus Binwalk
Some additional material from binwalk: 

    

  1. root@ubuntu:/home/die/binwalk/firmware# binwalk  firmware.bin
    2. 

  2. DECIMAL    HEX        DESCRIPTION
    3. 

  3. -------------------------------------------------------------------------------------------------------------------
    4. 

  4. 84992      0x14C00    ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 66696, 
    5. 

  5. compressed size: 16845, uncompressed checksum: 
    6. 

  6.  
    7. 

  7. 0xC92E, compressed checksum: 0xC9CE, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed 
    8. 

  8. checksum is valid, memory map table address: 0x0
    9. 

  9. 85043      0x14C33    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, 
    10. 

  10. uncompressed size: 66696 bytes
    11. 

  11. 128002     0x1F402    GIF image data, version "89a", 200 x 50
    12. 

  12. 136194     0x21402    GIF image data, version "89a", 560 x 50
    13. 

  13. 349184     0x55400    ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3737744, 
    14. 

  14. compressed size: 880976, uncompressed checksum: 
    15. 

  15.  
    16. 

  16. 0x8F1, compressed checksum: 0xDBE7, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed 
    17. 

  17. checksum is valid, memory map table address: 0x0
    18. 

  18. 349235     0x55433    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, 
    19. 

  19. uncompressed size: 3737744 bytes
    20. 

  20.  
    21. 

  21.  
    22. 

  22.  
    23. 

  23. dd if=firmware.bin bs=1 skip=85043 of=image1.lzma
    24. 

  24. dd if=firmware.bin bs=1 skip=349235 of=image2.lzma
    25. 

  25.  
    26. 

  26. root@ubuntu:/home/die/binwalk/firmware# lzma -d image1.lzma 
    27. 

  27. root@ubuntu:/home/die/binwalk/firmware# lzma -d image2.lzma 
    28. 

  28.  
    29. 

  29.  
    30. 

  30. die@ubuntu:~/binwalk/firmware$ binwalk image2
    31. 

  31.  
    32. 

  32. DECIMAL    HEX        DESCRIPTION
    33. 

  33. -------------------------------------------------------------------------------------------------------------------
    34. 

  34. 2840932    0x2B5964   Copyright string: " (c) 1994 - 2004 ZyXEL Communications Corp."
    35. 

  35. 2840988    0x2B599C   Copyright string: " (c) 2001 - 2006 TrendChip Technologies Corp."
    36. 

  36. 2841044    0x2B59D4   Copyright string: " (c) 2001 - 2006 "
    37. 

  37. 2865263    0x2BB86F   LZMA compressed data, properties: 0x48, dictionary size: 33554432 bytes, 
    38. 

  38. uncompressed size: 16777216 bytes
    39. 

  39. 3037283    0x2E5863   LZMA compressed data, properties: 0x5C, dictionary size: 33554432 bytes, 
    40. 

  40. uncompressed size: 16777216 bytes
    41. 

  41. 3037543    0x2E5967   LZMA compressed data, properties: 0xB4, dictionary size: 33554432 bytes, 
    42. 

  42. uncompressed size: 16777216 bytes
    43. 

  43. 3209377    0x30F8A1   LZMA compressed data, properties: 0x40, dictionary size: 2097152 bytes, 
    44. 

  44. uncompressed size: 2097216 bytes
    45. 

  45. 3350495    0x331FDF   LZMA compressed data, properties: 0xB8, dictionary size: 16777216 bytes, 
    46. 

  46. uncompressed size: 538981760 bytes
    47. 

  47. 3445523    0x349313   LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes, 
    48. 

  48. uncompressed size: 949368448 bytes
    49. 

  49. 3563851    0x36614B   LZMA compressed data, properties: 0x90, dictionary size: 16777216 bytes, 
    50. 

  50. uncompressed size: 33554432 bytes
    51. 

  51. 3652626    0x37BC12   GIF image data, version "89a", 16 x 16
    52. 

  52. 3653238    0x37BE76   GIF image data, version "89a", 16 x 16
    53. 

  53. 3654302    0x37C29E   GIF image data, version "89a", 16 x 16
    54. 

  54. 3655370    0x37C6CA   GIF image data, version "89a", 16 x 16
    55. 

  55. 3734691    0x38FCA3   LZMA compressed data, properties: 0x88, dictionary size: 33554432 bytes, 
    56. 

  56. uncompressed size: 167772160 bytes
    57. 

  57. 3737404    0x39073C   Copyright string: " (c) 1996-2000 Express Logic Inc. * ThreadX R3900/Green Hills "
    58.

Comments

Post a Comment

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i
1 comment
Read more

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you
5 comments
Read more

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&
Post a Comment
Read more