Analysis of TP-Link Firmware with Header Version 1

Introduction

Analysis of TP-Link firmware file wr841nv11_wr841ndv11_en_3_16_9_up_boot(150616).bin with header version 1.

Header Structure

Offset Size (Bytes) Item Value
0 4 Version 0x01000000
4 24 Vendor Name TP-Link Technologies
0x1C 36 FW Version Ver. 1.0
0x40 4 HW ID 0x08410011
0x44 4 HW Revision 0x00000001
0x48 4 Unused 0
0x4C 16 Image MD5SUM 0xBF...65
0x5C 4 Unused 0
0x60 16 MD5SUM2 0x23...F0
0x70 4 Unused 0
0x74 4 Kernel Load Address 0x80002000
0x78 4 Kernel Entry Point 0x801CDB90
0x7C 4 FW Length 0x003E0200
0x80 4 Kernel Data Offset 0x00000200
0x84 4 Kernel Data Length 0x000CF72B
0x88 4Rootfs Offset 0x00100000
0x8C 4 Rootfs Data Length 0x002C0000
0x90 4 Bootloader Offset 0x00000000
0x94 4 Bootloader Data Length 0x0000C3B2
0x98 2 FW Ver Hi 0x0003
0x9A 2 FW Ver Mid 0x0010 (16)
0x9C 2 FW Ver Lo 0x0009
0x9E 4Unused 0


Analysis

cp wr841nv11_wr841ndv11_en_3_16_9_up_boot\(150616\).bin image_with_boot.bin

1. Verify MD5SUM of file. MD5 salt for image containing bootloader is 0x8cef335bd5c5cefaa79c28dab2e90f42. Replace MD5SUM in header with salt and then calculate MD5SUM of whole file.

cp image_with_boot.bin tmp.bin

printf '\x8c\xef\x33\x5b\xd5\xc5\xce\xfa\xa7\x9c\x28\xda\xb2\xe9\x0f\x42' | dd of=tmp.bin bs=1 seek=$((0x4C)) conv=notrunc

md5sum tmp.bin

2. In firmware containing bootloader, bootloader starts immediately after the header.

dd if=image_with_boot.bin iflag=skip_bytes,count_bytes of=bootloader.bin skip=$((0x200)) count=$((0xC3B2))

3. Extract rest of the firmware which contain a header, kernel and rootfs. It starts at offset 0x20200.

dd if=image_with_boot.bin iflag=skip_bytes,count_bytes of=fw.bin skip=$((0x20200))

4. MD5 salt for firmware is 0xdcd73aa5c39598fbddf9e7f40eae4738. To verify MD5, replace MD5SUM value in header with salt and then calculate MD5SUM.

cp fw.bin tmp.bin

printf '\xdc\xd7\x3a\xa5\xc3\x95\x98\xfb\xdd\xf9\xe7\xf4\x0e\xae\x47\x38' | dd of=tmp.bin bs=1 seek=$((0x4C)) conv=notrunc

md5sum tmp.bin

5. Extract kernel:

dd iflag=skip_bytes,count_bytes if=fw.bin of=kernel.bin skip=$((0x200)) count=$((0xCF72B))

6. Extract rootfs:

dd iflag=skip_bytes,count_bytes if=fw.bin of=rootfs.bin skip=$((0x100000)) count=$((0x2C0000))

sudo unsquashfs rootfs.bin

Demo

Comments

Post a Comment

Popular posts from this blog

Decrypt TP-Link config.bin Configuration Backup File

Image
Configuration backup file can be downloaded from certain TP-Link devices by clicking  Backup button on System Tools > Backup & Restore page. The downloaded configuration file, config.bin is encrypted. To decrypt the config.bin  file, use key 478DA50BF9E3D2CF. openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin -out dec_config.bin First 16 bytes of the output file, dec_config.bin is the MD5 hash of configuration text file. Decrypted file may also contain null byte padding at the end. In this case there are 4 null bytes at the end of file. To extract configuration text file, remove MD5 hash (First 16 bytes) and padding (Last 4 bytes).  dd if=dec_config.bin of=config.txt bs=1 skip=16 truncate -s -4 config.txt Output file, config.txt contains the configurations. Its MD5 hash should match the MD5 given in dec_config.bin. Demo
Read more

Firmadyne Installation & Emulation of Firmware

Image
   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Un
Read more

Extract / Create Cramfs File System from Ubuntu 20.04

Image
  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo
Read more