Now that we have gained access to the box, let’s start gather some info – this is the very first step if we want to try to build a custom firmware.
First of all, let’s make a dump of the flash.
We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!
We can put a pendrive in one of the USB ports and mount it:
mount /dev/sda1 /mnt/flash
then use dd to dump the flash:
dd if=/dev/mtdblock0 of=/mnt/flash/flashimage.img bs=1m
Now we have a 16Mb file, but what there’s inside?
We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.
With flayout, we have the layout of the flash:
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0x00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0x00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0x00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0x00000400
Also, from bdinfo, we know at wich address is the flash start:
flashstart = 0xBF000000
Now, we can split our flash image:
dd if=flashimage.img of=uboot.img ibs=1 count=$((0x00060000))
dd if=flashimage.img of=openrg_1.img ibs=1 skip=$((0x00060000)) count=$((0x003E0000))
dd if=flashimage.img of=openrg_2.img ibs=1 skip=$((0x00440000)) count=$((0x00AE0000))
dd if=flashimage.img of=conf_1.img ibs=1 skip=$((0x00F20000)) count=$((0x00060000))
dd if=flashimage.img of=conf_2.img ibs=1 skip=$((0x00F80000)) count=$((0x00060000))
dd if=flashimage.img of=conf_factory.img ibs=1 skip=$((0x00FE0000)) count=$((0x0001FC00))
dd if=flashimage.img of=layout.img ibs=1 skip=$((0x00FFFC00)) count=$((0x00000400))
Ok, time to fire up an hexdecimal editor :)
Since someone asked for it, here are all the pieces of flash dump that shouldn’t contain sensitive data. I haven’t been unable to unpack the openrg images, yet, so if you find a way, please drop me a note.
Also, here’s the stuff that the router downloaded from the provisioning server during the last update:
ED_ARGO95_1.3.19.kit (update image)
ED_ARGO95_1.3.19.txt (default configuration)
Update 2 (03/02/2012)
And here are also the two missing pieces, configuration area and factory area.
I did my best to remove all the sensitive data, but I’m fairly sure I missed something.
Update 3 (22/03/2012)
I finally fetched from the Fastweb server the new firmware releases, the ones with interface locked out.
Categorised as: Hacking