OpenWrt Forum Archive

Topic: Extracting Files and Folders from Linksys Firmware

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
ManOnFire
10 May 2011, 18:06

I am looking for some guidance on extracting the files/folders from a standard Linksys E4200 image.  I would like to browse through the www directory and look for "undocumented" web interfaces or pages.  I have read https://dev.openwrt.org/attachment/ticket/2711/info.txt and some other links that show how to dd the files out based on  file header information, and although I have done some forensic file carving in the past, this is a bit new to me.  So I'm leaning on the experts in this forum.  Below is the image and MD5sum of the file (which can be downloaded from cisco.com):

FW_E4200_1.0.01.010_US_20110221_code.bin
6b4ff1fc7ddab4e43415b0fd0d2cbbb9 

Here's a snippet of the hex dump:

0000000: 3432 3030 0000 0000 0b02 1501 0001 5532  4200..........U2
0000010: 4e44 000a 1f00 0000 0000 0000 0000 0000  ND..............
0000020: 4844 5230 00e0 9100 812a 8b8f 0000 0100  HDR0.....*......
0000030: 1c00 0000 a408 0000 7494 0b00 1f8b 0800  ........t.......
0000040: 0000 0000 0203 8d57 5d68 1cd7 15fe e6ce  .......W]h......
0000050: 481a cb4b 72b5 5a87 51a2 94b9 ded1 6a91  H..Kr.Z.Q.....j.
0000060: 523a 6955 a3c2 3e4c 569b 60fa 03b2 6268  R:iU..>LV.`...bh
0000070: 1e82 d94a 4af1 8309 0e4e c10f 7d98 ca4a  ...JJ....N..}..J
0000080: b20d b267 531c ba2f 8545 921d 1754 adeb  ...gS../.E...T..
0000090: b649 1ee2 5ac8 a675 c185 d481 a6d0 17e1  .I..Z..u........
00000a0: 1892 9742 2194 b8ee cff4 3bfb 531b bb6e  ...B!.....;.S..n
00000b0: 2b58 a4bd f7dc f39d f39d ef9e 7315 c683  +X..........s...
00000c0: 25a0 6210 f795 c2a1 3301 e2fe d227 8fff  %.b.....3....'..
00000d0: 2a00 cead 00b5 0d07 677c 07cb fe84 7b16  *.......g|....{.
00000e0: b753 3f07 fe58 b18e 303a 1404 b550 79f0  .S?..X..0:...Py.
00000f0: b3b2 b6f4 fa10 14dc c0a9 1555 6c67 83a0  ...........Ulg..

And here is what I think I have figured out:

3432 3030 = 4200 (MAGIC Platform ID)
0000 0000 = res1
0b02    15    = Year: 2011 (0x0b),Month: Feb (0x02),Date: 21 (0x15)
01         = Major version number (1.)
00        = Middle version number (1.0)
01        = Minor version number (1.0.1)
5532    4e44    = ID: (U2ND)
00        = HW_VER
0a        = S/N
1f00        = FLAGS
0000        = STABLE
0000        = TRY1
0000        = TRY2
0000        = TRY3
0000        = RES3
4844 5230    = HDR0 (MAGIC NUMBER 'HDR0')
00e0 9100 = Length [Header+Data] (Conv=>Big Endian 0x0091e000=14,717,184 (9,561,088=0091e400)
812a 8b8f = 32-bit CRC (strip trailing 091cf5F->091e3ff = 5,280 and crc32)
0000        = TRX flags
0100     = TRX Version
1c00 0000 = Partition offset [0] (lzma-loader)
a408 0000 = Partition offset [1] (Linux-Kernel)
7494 0b00 = Partition offset [2] (RootFS)
1f8b 0800 = Partition offset [3] (bin-Header)

Any tips on how to dd these sections out into independent files based on the above offsets?  Any help would be greatly appreciated.

Thank you!

(Last edited by ManOnFire on 10 May 2011, 19:12)

Post #2
ManOnFire
11 May 2011, 15:45

Well, I guess its time to answer my own question:

dd if=FW_E4200_1.0.01.010_US_20110221_code.bin of=seg1 bs=1 skip=60 count=2184
dd if=FW_E4200_1.0.01.010_US_20110221_code.bin of=seg2 bs=1 skip=2244 count=756688
dd if=FW_E4200_1.0.01.010_US_20110221_code.bin of=seg3 bs=1 skip=758932 count=8802188
unsquashfs-lzma -dest FILESYSTEM/ seg3
ls -la FILESYSTEM/www

Is there a better way to do this?

Thanks!

The discussion might have continued from here.