Hi,

I would like to extract the firmware from a wrt54gc, here is the short beginning of the hexdump :

00000000  00 01 00 00 05 10 4b 00  00 10 00 00 00 00 00 00  |......K.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 06 03  00 00 00 00 00 00 00 03  |................|
00000030  00 00 10 28 00 00 00 04  61 44 6d 42 6c 4b 3d ff  |...(....aDmBlK=ÿ|
00000040  ff ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |ÿÿÿ.............|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200  00 00 00 00 12 39 00 10  00 00 03 00 00 00 ec db  |.....9........ìÛ|
00000210  07 54 13 4b db 00 e0 d9  24 84 00 01 62 2f 58 22  |.T.KÛ.àÙ$...b/X"|
00000220  22 36 d4 45 b1 b7 d8 1b  2a 56 2c a8 a0 28 88 a8  |"6ÔE±·Ø.*V,š (.š|

I was looking for the string "Compressed" but it is not present so that I wonder what kind of filesystem it is ? I guess it is not a cramfs one in fact. Thanks in advance

Try a grep with the word Compre.

000a3960  03 00 00 00 00 00 00 00  43 6f 6d 70 72 65 73 73  |........Compress|    
000a3970  65 64 20 52 4f 4d 46 53  4a 11 4e 37 00 00 00 00  |ed ROMFSJ.N7....| 
000a3980  8f 07 00 00 0e 01 00 00  43 6f 6d 70 72 65 73 73  |........Compress|  
000a3990  65 64 00 00 00 00 00 00  ed 41 00 00 b0 00 00 00  |ed.......A......|

This is how hexdump is at WRT54GV2_3.03.1_ETSI_code.bin

(Last edited by asmodemon on 3 Jun 2005, 19:25)

Thanks for your tip, asmodemon, this is what I tried before, and there is no matching string corresponding either to Comp, Compressed, Com, ssed  .... So that is why I really wonder what kind of filesysteme it is. It does not look like jffs2, neither squash, nor cramfs ?

Do you know about any list of filesystem headers to which I can compare the result ?

I also have the aDmBlk= string except this is from firmware for a Netgear WGR614v1 wireless router.
I am very curious what filesystem this is.

firmware has 3 blocks - header with "admblk=" signature, filesystem compressed with ZIP, trailer with signature "**rcom"
compressed file system begins with signature PK ..... file name. split firmware file on to 3 part, decompress ZIP block and enjoy!
header size ussualy is 36536 bytes long.
sorry for a very poor english.
additional comments on polukot(dog)mail.ru

(Last edited by polukot on 19 Nov 2005, 23:45)

I'm interested in the wrt54gc firmware too. Polukot, what version of the firmware do you have? I can't find any PK signature in the versions I have (1.045 and 1.030).

So, I hack netgear and ovislink firmware. I can't say anymore about wrt54. but, if u can put download link to needed firmware I can try to decompile it.
br.

I have also seen this used in Belkin firmwares "F5D7231-4 UK v5.01.11.BIN" works on the F5D7231-4 v2000 USA version

fyi here is the link does anyone know how to extract this? http://www.belkin.com/support/dl/F5D723 … .01.11.BIN

I'm looking at something similiar for another Belkin product. They recently switched format from header+cramfs+cramfs+cramfs+{etc}+trailer which was failry easy to tweak (different developer, new tools or something I suppose).

I think there's something like a set of JFFS2 partitions with a header and trailer in there. JFFS has built in compression, which would  explain why theres no obvious HTML tags, JPEG headers etc.

The following script uses dd and file to walk through the rom image pulling small chunks out and logging what file thinks they are. I used it to work out where JFFS headers might be. It's the least pretty script I've ever writtin, and it takes forever. If you can tidy it up, (particularly speed it up, this takes 15 mins on a pentium D 945 in a ramdisk) please do. The size of the particular binary I'm looking at is 615249 bytes:

[barry@dell mem]$ cat looper.sh
#!/bin/bash
for ((i=1;i<=615249;i+=1)); do
dd if=F5D7230-4v6_UK_8.01.09.bin skip=$i count=256 bs=1 of=temp.bin
echo $i, >> log.txt
file temp.bin -b >> log.txt
done

I then grep log.txt:
grep -v fs log.txt
which yields lots of nonsense as you'd expect. grepping for jffs gives:

15713,
Linux old jffs2 filesystem data little endian
195706,
Linux old jffs2 filesystem data little endian
397166,
Linux old jffs2 filesystem data little endian
543503,
Linux old jffs2 filesystem data little endian

I read this as saying there's 5 chnks:
15KByte header (which seems unlikely)
40KByte JFFS partition
200KByte JFFS partition
150KByte JFFS partition
70KByte JFFS partition +trailer

I found very little relevant about opening JFFS firmware files online (why I'm writing this now really), but the following look useful:

http://esslab.tw/wiki/index.php/%E5%88% … 9E:MTD_SOP
somebody's notes on mounting ready-made JFFS2 partitons

https://svn.openwrt.org/openwrt/trunk/s … ugimage.pl
this is a perl script that the OpenSlug people used to crack open the linksys firmware images for the NSLU2 storage device.

I'm irritated by the fact I don't fully understand this, so it's my project for the next week or so. Post back if you get anywhere...

0ctal

inspired this:

#!/bin/bash
for ((i=1;i<=2098318;i+=1)); do

echo $i
losetup -o $i /dev/loop0 360AMX2C0.bin
mount -t jffs2 /dev/loop0 /mnt
if [ $? != 0 ] ; then
    echo "Couldn't mount"
    losetup -d /dev/loop0
else
    echo "Hit, we got a hit, Merry Christmas 2008!"
    exit
    fi

done

I found a much faster program than your bash script, it does the same thing.

See here:
http://lists.gpl-violations.org/piperma … 00009.html

http://svn.gnumonks.org/trunk/reveng-tools/magic_ofs

magic_ofs

Ha! I finally noticed your reply... thanks for posting that. Compiled it here and it does exactly what I was trying to do, but in a sensible and logical manner...

cheers

Barry