Analysis of Asus TRX firmware

Introduction

 Analysis of file FW_RT_N53_30043763754.trx corresponding to firmware of Asus RT N53.

Header Structure

Offset Size (Bytes) Item Value (FW_RT_N53_30043763754.trx)
0 4 Magic Bytes HDR0
4 4 Length (including header) 0x00707000
8 4 CRC32 (for data from offset 0xC) 0x512E08B5
0xC 2 Flags 0
0x0E 2 Version 0x0001
0x10 4 Loader Offset 0x0000001C
0x14 4 Kernel Offset 0x00000A8C
0x18 4 Rootfs Offset 0x001299EC


Analysis

If the magic bytes is HDR0 firmware is little endian.

1. Verify size of file is same as that in header, ie. 0x707000 or 7368704 bytes.

2. To calculate CRC32 extract data from offset 0xC.
dd iflag=skip_bytes if=fw.trx skip=$((0xC)) of=crc_data

Calculate CRC32:
crc32 crc_data

Convert result  obtained, 0xaed1f74a to signed value and verify with header.
printf %X $((~0xaed1f74a & 0xFFFFFFFF))

3. Extract loader:
dd iflag=skip_bytes,count_bytes if=fw.trx skip=$((0x1C)) count=$((0xA8C - 0x1C)) of=loader

4. Extract kernel:
dd iflag=skip_bytes,count_bytes if=fw.trx skip=$((0xA8C)) count=$((0x1299EC - 0xA8C)) of=kernel

5. Extract rootfs:
dd iflag=skip_bytes,count_bytes if=fw.trx skip=$((0x1299EC))  of=rootfs

sasquatch rootfs

Demo



Comments

  1. AlexJuly 12, 2022 at 9:30 AM

    Nice post! I followed your code but realized my firmware doesnt start like yours. Its missing the HDR0, and everything else. Do you have any recommendation on how can I continue? If it helps my firmware is the RT-AC1200_V2_3.0.0.4_382_70167-g57155ad.trx from an asus router (rt-ac1200 v2)

    ReplyDelete

Post a Comment

Popular posts from this blog

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo
Read more

Firmadyne Installation & Emulation of Firmware

Image
   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne....
Read more

Extract / Create Cramfs File System from Ubuntu 20.04

Image
  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo
Read more