Amtec (ElsagDatamag) Argo 55/95 – Take 5: Dump the flash

Now that we have gained access to the box, let’s start gather some info – this is the very first step if we want to try to build a custom firmware.

First of all, let’s make a dump of the flash.

We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!

We can put a pendrive in one of the USB ports and mount it:

mount /dev/sda1 /mnt/flash

then use dd to dump the flash:

dd if=/dev/mtdblock0 of=/mnt/flash/flashimage.img bs=1m 

Now we have a 16Mb file, but what there’s inside?

We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.

With flayout, we have the layout of the flash:

=> flayout
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0x00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0x00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0x00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0x00000400

Also, from bdinfo, we know at wich address is the flash start:

flashstart = 0xBF000000

Now, we can split our flash image:

dd if=flashimage.img of=uboot.img ibs=1 count=$((0x00060000))

dd if=flashimage.img of=openrg_1.img ibs=1 skip=$((0x00060000)) count=$((0x003E0000))

dd if=flashimage.img of=openrg_2.img ibs=1 skip=$((0x00440000)) count=$((0x00AE0000))

dd if=flashimage.img of=conf_1.img ibs=1 skip=$((0x00F20000)) count=$((0x00060000))

dd if=flashimage.img of=conf_2.img ibs=1 skip=$((0x00F80000)) count=$((0x00060000))

dd if=flashimage.img of=conf_factory.img ibs=1 skip=$((0x00FE0000)) count=$((0x0001FC00))

dd if=flashimage.img of=layout.img ibs=1 skip=$((0x00FFFC00)) count=$((0x00000400))

Ok, time to fire up an hexdecimal editor :)

 

Update (28/01/2012)

Since someone asked for it, here are all the pieces of flash dump that shouldn’t contain sensitive data. I haven’t been unable to unpack the openrg images, yet, so if you find a way, please drop me a note.

uboot.img

openrg_1_n.img

openrg_2_n.img

layout.img

Also, here’s the stuff that the router downloaded from the provisioning server during the last update:

ED_ARGO95_1.3.19.kit (update image)

ED_ARGO95_1.3.19.txt (default configuration)

 

Update 2 (03/02/2012)

And here are also the two missing pieces, configuration area and factory area.

I did my best to remove all the sensitive data, but I’m fairly sure I missed something.

conf_1_edit.img

conf_factory_edit.img

 

Update 3 (22/03/2012)

I finally fetched from the Fastweb server the new firmware releases, the ones with interface locked out.

ED_ARGO95_0.4.4.conf
ED_ARGO95_0.4.4.kit
ED_ARGO95_1.4.4.conf
ED_ARGO95_1.4.4.kit
ED_ARGO95_0.4.52.conf
ED_ARGO95_0.4.52.kit
Written by bano on 2012/01/21 Categories: Hacking Tags: , , , , , , ,
11 Comments on Amtec (ElsagDatamag) Argo 55/95 – Take 5: Dump the flash

11 Comments

  • purputy says:

    Hi bano, please can you share with us your dd backup?
    Thanks a lot

    • bano says:

      Hi!
      I’ve just updated the post – I attached all the parts that shouldn’t contain sensitive data (that is, everything except the two rg_conf and the factory areas). If you find a way to unpack the two uboot images (openrg_1 and openrg_2), please let me know.

  • iulius says:

    Hi! In your opinion, what is the way to be able to get back in WEB-GUI … for Queli like me who no longer have access to the console interface as Elsag … ? … before I could even access because I know the IP MAN.

    • bano says:

      Hi iulius! As I said, in my opinion the best way is to access via the serial port, and try to reconfigure the router from there.
      Let me know if you need any help.

  • iulius says:

    Hi!
    Yes, … but what are the commands to give, in the serial console to reconfigure the router …
    Then the speech, that every time you re-turn ON the router,
    he download the config from the server Fast. … then is not the best we can do, as often attack the serial port to reconfigure …
    I thought of another thing … to take all data from the router and configure another type of software router (pfSense, ZeroShell) so that also emulate the MAC, IP and other parameters … to renounce the ARGO …
    Just to JOI, do not even need config for VoIP.

    • bano says:

      Uhm… Configure a software router is surely a nice project, but I’m fairly sure that trying to fix the Argo is an easier solution.
      The commands you should look for are the ‘conf’ commands: i.e., with ‘conf print /’ you can print the entire configuration file. You’ve also the opportunity to upload the file to a tftp server (‘conf upload download’), edit it and redownload it on the router (‘conf download upload’).
      Also, when you regain access to the router, you can configure it to avoid connections to the ACS server (see this post: http://lab.algasystems.net/2012/01/amtec-elsagdatamag-argo-5595-take-4-hardening/).

  • purputy says:

    Hi,
    I try to port this very good firmware to another similar architecture but it crashed because I’m not able to recreate the factory area and the config one. Somebody can share this two flash zone? It is very simple to remove sensitive data just change user and password from webif and mac adress with an hexedit on the factory backup. Another question… I’m not a fast*eb user and I haven’t access on the firmware update server can somebody share the last firmware image for argo55 (I think the webadress is like this: https://update.elsagdatamat.com/ or this: http://59.0.121.191:8080/ACS-server/file/ED_ARGO55_1.3.19.kit )
    Thankyou…

    • bano says:

      Hi purputy, I already tried to fetch the ARGO55 one, but unfortunately the filename seems to be different. Maybe the version numbering is not the same – even tough the firmware must be very similar (excluding the ADSL modules).
      For what about factory and rg_conf areas, I’ll try to put them online ASAP. I’m a bit doubtful about rg_conf, since it appears encryped (there’s no plain text data in it, apart from the ‘rg_conf’ header). Do you have further info about its format?
      Also, out of curiosity, on what architecture are you porting the firmware to?

      • purputy says:

        I need the adsl version because the ethernet driver in this one crashed when I try to use it (and I need the adsl driver too). rg_conf is compressed by deflate and relatively simple to decompress but is not so easy recreate the rg_config header after an edit. I try to port on Alice Gate Voip Wifi, Bbox and Livebox2 because the argo’s firmware/kernel is the best one.

        • bano says:

          I edited the post, adding the rg_conf and rg_factory areas. I somewhat removed the sensitive data (almost: I’m sure there are still some mac addresses in rg_conf).
          Hope these can be useful. There’s a forum, or a blog where I can read more about your porting efforts?

  • […] then do a dump of your entire flash (if you haven’t already done it) using the instructions posted here. […]

Leave a Reply