TrendChip Firmware XOR checksum algorithm disassembly

I have to warn you: this is not a standalone article. How I ended up writing about MIPS disassembly with zero previous experience is documented in another article that lists the adventures I had with my ZTE H108NS modem router.

Nevertheless, here I am standing against an unknown architecture, trying to reverse engineer the mighty XOR checksum algorithm used by the modem to distinguish correct from incorrect firmware. Note that this wasn’t a linear process with a start, a main part and an end. It was mostly a tree of attempts with extensive backtracking which is just a cool way to say “trial and error”. However, I do care to make sense to my readers so I will try to present the events in a linear manner.

TrendChip firmware employs a first stage bootloader in partition 0 that has the capability to upload new firmware in order to unbrick your modem router. Since this a minimal bootloader it should be easy to navigate around and find the XOR checksum algorithm.

In addition while in normal mode the TrendChip firmware employs the cfg_manager binary to perform the firmware upload. It is a safe bet that cfg_manager has to implement the XOR checksum algorithm also. cfg_manager is a much bigger binary with all kinds of functionality. It should be significantly more difficult to find the algorithm we are searching in its assembly listings.

There is a reason that the saying

Assumption is the mother of all fuckups.

is a fact of life. In this case the assumptions that cost me several days was

  • small binary – easy to understand and manipulate
  • big binary – difficult to navigate and understand

BOOTROM and Primary Bootloader

We will see how common sense rules can fail in a short while. In the meantime how do we disassemble a MIPS binary in a Debian GNU/Linux workstation? I never claimed to be google shy so after some searches and non educated guesses I found:

I had problems with the first three. In retrospect the biggest problem was that I was trying to disassemble the primary bootloader of partition 0 without knowing the base address. One very important free variable to the disassembly problem is the base address. If you don’t get the base address right the disassembly listings don’t make sense when the program tries to perform absolute jumps or to read data. So more google…

Looks like that MIPS boards initialize the BOOTROM base address at 0xbfc00000 most of the times. If you get that correctly the later steps are a breeze. Let’s see how it is done.

The first thing to do is install cross MIPS binutils in our system. Debian has excellent support for cross architectures and libraries. Cross architecture support is admittedly of the most difficult problems to get right so let’s use it:

apt-get install binutils-mips-linux-gnu

And now let’s disassemble

mips-linux-gnu-objcopy -I binary -O elf32-tradbigmips -B mips --rename-section .data=.text --change-address 0xbfc00000 p0.head p0.head.elf
mips-linux-gnu-objdump -D p0.head.elf > p0.head.asm

Here is how it looks like

bfc00000 :
bfc00000:	0bf0000a 	j	bfc00028 
bfc00004:	00000000 	nop
	...
bfc00028:	3c02bfbf 	lui	v0,0xbfbf
bfc0002c:	34420200 	ori	v0,v0,0x200
bfc00030:	24040000 	li	a0,0
bfc00034:	24050000 	li	a1,0
bfc00038:	ac440000 	sw	a0,0(v0)
bfc0003c:	ac450014 	sw	a1,20(v0)
bfc00040:	00000000 	nop
bfc00044:	3c03bfb0 	lui	v1,0xbfb0
bfc00048:	3c048000 	lui	a0,0x8000
bfc0004c:	3484ffff 	ori	a0,a0,0xffff
bfc00050:	24050000 	li	a1,0
bfc00054:	ac640000 	sw	a0,0(v1)
bfc00058:	ac650004 	sw	a1,4(v1)
bfc0005c:	8c6400b0 	lw	a0,176(v1)
bfc00060:	00000000 	nop
bfc00064:	00042302 	srl	a0,a0,0xc
bfc00068:	308400ff 	andi	a0,a0,0xff
bfc0006c:	10800016 	beqz	a0,bfc000c8 
bfc00070:	00000000 	nop
bfc00074:	3c090463 	lui	t1,0x463
bfc00078:	35291000 	ori	t1,t1,0x1000
bfc0007c:	240a018f 	li	t2,399
bfc00080:	240b01f3 	li	t3,499
bfc00084:	240c01c1 	li	t4,449
bfc00088:	012a2025 	or	a0,t1,t2
bfc0008c:	018a082a 	slt	at,t4,t2
bfc00090:	10200002 	beqz	at,bfc0009c 
bfc00094:	00000000 	nop
bfc00098:	34848000 	ori	a0,a0,0x8000
bfc0009c:	ac6400b0 	sw	a0,176(v1)
bfc000a0:	00000000 	nop
bfc000a4:	24081388 	li	t0,5000
bfc000a8:	2508ffff 	addiu	t0,t0,-1
bfc000ac:	1500fffe 	bnez	t0,bfc000a8 
bfc000b0:	00000000 	nop
bfc000b4:	114b0004 	beq	t2,t3,bfc000c8 
bfc000b8:	00000000 	nop
bfc000bc:	214a0005 	addi	t2,t2,5
bfc000c0:	0bf00022 	j	bfc00088 
bfc000c4:	00000000 	nop
bfc000c8:	3c048000 	lui	a0,0x8000
bfc000cc:	34840300 	ori	a0,a0,0x300
bfc000d0:	3c058000 	lui	a1,0x8000
bfc000d4:	34a50504 	ori	a1,a1,0x504
bfc000d8:	3c068000 	lui	a2,0x8000
bfc000dc:	34c60706 	ori	a2,a2,0x706

 

We obviously need some education on the MIPS architecture, instruction set and register layout. One thing I didn’t know and I couldn’t foresee is that due to the pipeline architecture of MIPS the instruction after a jump will be executed. That’s why it is typical to suffix a jump with a nop instruction like at offset 0xbfc000c4 or 0xbfc000b8.

So what the above code is doing exactly? Well it is the BOOTROM, it sets things up and then copies some code at 0xb8000000 and jumps there. Can we disassemble that part?

dd if=p0 of=p0.1 seek=960 bs=1
mips-linux-gnu-objcopy -I binary -O elf32-tradbigmips -B mips --rename-section .data=.text --change-address 0xb80000000 p0.1 p0.1.elf
mips-linux-gnu-objdump -D p0.1.elf > p0.1.asm

and here is where the control is relinquished to

Disassembly of section .text:

80000000 :
	...
80000280:	3c1a8000 	lui	k0,0x8000
80000284:	275a0290 	addiu	k0,k0,656
80000288:	03400008 	jr	k0
8000028c:	00000000 	nop
80000290:	3c1c8000 	lui	gp,0x8000
80000294:	279c1890 	addiu	gp,gp,6288
80000298:	27881fe0 	addiu	t0,gp,8160
8000029c:	251dfff0 	addiu	sp,t0,-16
800002a0:	3c088000 	lui	t0,0x8000
800002a4:	25081870 	addiu	t0,t0,6256
800002a8:	ad000000 	sw	zero,0(t0)
800002ac:	3c098000 	lui	t1,0x8000
800002b0:	2529388c 	addiu	t1,t1,14476
800002b4:	3c1a8000 	lui	k0,0x8000
800002b8:	275a3890 	addiu	k0,k0,14480
800002bc:	25080004 	addiu	t0,t0,4
800002c0:	ad000000 	sw	zero,0(t0)
800002c4:	1509fffd 	bne	t0,t1,800002bc 
800002c8:	00000000 	nop
800002cc:	0c0000b8 	jal	800002e0 
800002d0:	00000000 	nop

At that point I was lost. I had no idea where the primary bootloader was and what this thing was doing. Back to the drawing board.

QEMU

I have to say at this point that my assembly skills are not that good to figure all these out just from the assembly listings without some help. The help was the qemu emulator program. Although qemu would barf in board specific initialization attempts it was still valuable to figure out how the BOOTROM boots the primary bootloader. Here are some tips:

Connect to gdb

qemu-system-mips  -M mips -pflash flash -monitor null -nographic -S -s
#from another terminal
gdb-multiarch p0.head.elf
gdb>
  target remote localhost:1234
  load p0.head.elf32
  x/14i $pc
  stepi
  info registers

Run and keep instruction set log

qemu-system-mips -L .  -option-rom 0xbfc00000.bin  -pflash flash -monitor null -nographic -d in_asm 2>stderr

where flash is the part of the flash memory you want to run.

In a perfect world it should be possible to run the primary bootloader by running the flash contents. I believe everyone should have collect enough hints by now about which world we are living in so the fact that qemu doesn’t reach that point doesn’t come as a total surprise. Still qemu was very helpful if you treat it as one additional weapon in your arsenal and not as a silver bullet.

cfg_manager

Trying the alternate plan since I got stuck previously. Let’s see what’s going on with the cfg_manager. After playing with too much open variables, disassembler, base address, unknown platform, I  suddenly a realized a very simple and very obvious (in retrospect) fact.

The cfg_manager binary was not stripped

At first I realized that with the help of the recstudio running under WINE, through it was obvious also with objdump . I couldn’t figure how to load a binary in the Linux version but I did managed it with the windows executable and WINE. At the right corner was a small almost invisible panel (you had to resize it to view it) with the program’s symbols. I am a visual guy but usually not very good to optical grepping. In this case though even I was not able not to see a function named upgrade_firmware which calls image_check_tc which calls calculate_crc32. Bingo!!!

cfg_manager_recstudio_01And here is the C code for the CRC calculation as decompiled by recstudio.cfg_manager_recstudio_02Let’s see the assembly code from objdump in case it may be helpful.

0045a8a0 :
  ...
  45a93c:	02251821 	addu	v1,s1,a1
  45a940:	90620000 	lbu	v0,0(v1)
  45a944:	24a50001 	addiu	a1,a1,1
  45a948:	00501026 	xor	v0,v0,s0
  45a94c:	304200ff 	andi	v0,v0,0xff
  45a950:	00021080 	sll	v0,v0,0x2
  45a954:	00461021 	addu	v0,v0,a2
  45a958:	8c440000 	lw	a0,0(v0)
  45a95c:	00101a02 	srl	v1,s0,0x8
  45a960:	00b2102a 	slt	v0,a1,s2
  45a964:	1440fff5 	bnez	v0,45a93c 
  45a968:	00838026 	xor	s0,a0,v1
  45a96c:	1280ffe5 	beqz	s4,45a904

The interesting bit is that the CRC algorithm uses a lookup table. If you can figure that out and where that table is located you are golden. In cfg_manager the lookup table is located at 0x4769b0 and the C code of the CRC calculation (taken from tcrevenge) looks like this:

const char crc32_c[] = "0000000077073096ee0e612c...8ea15a05df1b2d02ef8d";
#define crc32_c_size ((sizeof(crc32_c) - 1) / sizeof(char))
unsigned char crc32_m[crc32_c_size >> 1];
#define crc32_size sizeof(crc32_m) / sizeof(char)

static int be2int(unsigned char *c) {
  return c[3] | (c[2] << 8) | (c[1] << 16) | c[0] << 24);
}

unsigned int calc_crc32(unsigned int sum, const char *filename, int offset) {
  unsigned char buffer[4096];
  int fd = open(filename, O_RDONLY);
  lseek(fd, offset, SEEK_SET); /* skip header */
  int rc;

  while ((rc = read(fd, buffer, sizeof(buffer))) > 0) {
    int i;
    for(i=0; i< rc; i++) {
      sum = be2int(crc32_m + (((buffer[i] ^ sum) & 0xFF) << 2)) ^ sum >> 8;
      //printf("byte %02x, sum %08x\n", buffer[i], sum);
    }
  }
    
  close(fd);
  return sum;
}

...

/* Initialize crc32_m from crc32_c */
  unsigned int j;
  char cnv[] = {0, 0};
  for (i = 0; i < crc32_size; i++) {
    j = i << 1;
    cnv[0] = crc32_c[j];   
    const int high = (int) strtol(cnv, NULL, 16);
    cnv[0] = crc32_c[j + 1];
    const int low = (int) strtol(cnv, NULL, 16);
    const int val = 16 * high + low;
    //printf("%d %d %d %02x\n", low, high, val, val);
    crc32_m[i] = val;
  }

Back to the primary bootloader

So after all it was easier to reverse engineer the cfg_manager (due to non-stripping) than the primary bootloader. However it is not like me to leave unfinished business. The primary bootloader needs to have the lookup table also in partition 0 in order to be able to clone the behavior. If we do a hex search with the first bytes of the lookup table then we can find the offset of the lookup table in the partition 0.

Nope it isn’t there. Now what?

Let’s try binwalk in the partition 0. We have never tried binwalk in that partition before because it isn’t part of the firmware image.

$ binwalk -e p0

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7216          0x1C30          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 120416 bytes
$ls
p0 _p0.extracted
$ls _p0.extracted/
1C30  1C30.7z
cd _p0.extracted/
$mips-linux-gnu-objcopy -I binary -O elf32-tradbigmips -B mips --rename-section .data=.text --change-address 0x81fb0000 1C30 1C30.elf
$mips-linux-gnu-objdump -D 1C30.elf > 1C30.asm

That was it. The primary bootloader was actually LZMA compressed inside the partition 0. Here is how it looks like:

Disassembly of section .text:

81fb0000 :
	...
81fb0280:	3c1a81fb 	lui	k0,0x81fb
81fb0284:	275a0290 	addiu	k0,k0,656
81fb0288:	03400008 	jr	k0
81fb028c:	00000000 	nop
81fb0290:	3c1c81fe 	lui	gp,0x81fe
81fb0294:	279c6864 	addiu	gp,gp,26724
81fb0298:	27881fe0 	addiu	t0,gp,8160
81fb029c:	251dfff0 	addiu	sp,t0,-16
81fb02a0:	3c0881fd 	lui	t0,0x81fd
81fb02a4:	2508d660 	addiu	t0,t0,-10656
81fb02a8:	ad000000 	sw	zero,0(t0)
81fb02ac:	3c0981ff 	lui	t1,0x81ff
81fb02b0:	25298bac 	addiu	t1,t1,-29780
81fb02b4:	3c1a81ff 	lui	k0,0x81ff
81fb02b8:	275a8bb0 	addiu	k0,k0,-29776
81fb02bc:	25080004 	addiu	t0,t0,4
81fb02c0:	ad000000 	sw	zero,0(t0)
81fb02c4:	1509fffd 	bne	t0,t1,81fb02bc 
81fb02c8:	00000000 	nop

Searching reveals that the lookup table is at 0x81fcaad0. Searching for aad0 in the instruction set reveals the position where the lookup table is accessed and so where the CRC calculation leaves. Here is the relevant part:

81fb49c8:	3c0281fd 	lui	v0,0x81fd  <--- The lookup table has a different base address than the code
81fb49cc:	2453aad0 	addiu	s3,v0,-21808  <--- Access Lookup table
81fb49d0:	8e820000 	lw	v0,0(s4)   <--- Start of the main loop
81fb49d4:	00000000 	nop
81fb49d8:	30420001 	andi	v0,v0,0x1
81fb49dc:	10400006 	beqz	v0,81fb49f8 
81fb49e0:	00000000 	nop
81fb49e4:	0c7f24f4 	jal	81fc93d0 
81fb49e8:	02202021 	move	a0,s1
81fb49ec:	00021600 	sll	v0,v0,0x18
81fb49f0:	087ed280 	j	81fb4a00 
81fb49f4:	00021603 	sra	v0,v0,0x18
81fb49f8:	82220000 	lb	v0,0(s1)
81fb49fc:	00000000 	nop
81fb4a00:	00521026 	xor	v0,v0,s2
81fb4a04:	304200ff 	andi	v0,v0,0xff
81fb4a08:	00021080 	sll	v0,v0,0x2
81fb4a0c:	00531021 	addu	v0,v0,s3
81fb4a10:	00121a02 	srl	v1,s2,0x8
81fb4a14:	8c420000 	lw	v0,0(v0)
81fb4a18:	00000000 	nop
81fb4a1c:	00629026 	xor	s2,v1,v0
81fb4a20:	2610ffff 	addiu	s0,s0,-1
81fb4a24:	1600ffea 	bnez	s0,81fb49d0  <--- End of main loop

As you can see the algorithm is equivalent with the one found in the cfg_manager.

Cool project verified and finished. Hope you had fun (for weird values of fun).

Writing code snippets in wordpress without plugins

The other day I was trying to put some code snippets in a blog entry. At some point, without exactly understand how, I started a two days fight with the WordPress editor.

My blog is in wordpress.com. That means:

  • no plug-ins are allowed.
  • no access to functions.php.
  • no access to the theme’s style.css (It is available only to paying accounts and not to the free service.)

In addition WordPress tends to put tags like <p> and <br> when it feels like it. This is like going to war not only unarmed but naked too.

My requirements are simple but usually end up to frustrating battles.

  1. Code should not be wrapped. Scrollbar should show when required.
  2. Lines should wrap on enter.
  3. Spaces and tabs should honored and not collapsed.
  4. No extra <p> and <br> or any other automatic formatting should be generated.

Fragments of the solution includes:

  • overflow: auto; to enable the scrollbar
  • white-space: pre; to prevent wrapping on white space but allow line breaks. See here.
  • word-wrap: normal; Chrome and IE requires it at least for my theme.
  • line-height: 1; to convince your theme for a more compact code view. Vertical space matters.
  • margin-bottom: 0; if your theme has its own opinion on what constitutes valid typography.

Several solutions in the Internet mention the <code> tag. Let’s try it.

for (i=0; i < N; i++) {
printf("hello world\n"); /* comment should be several spaces away */
}

This has the following problems:

  • Violates requirement 3: It collapses spaces. Note that originally WordPress does not collapse spaces. However, as soon you switch to the WYSIWING editor you are toast. WordPress will collapse your spaces under your feet without noticing. Who could thought that?
  • Violates requirement 4:  WordPress, puts <br> for every enter in the original text resulting in ugly double lines of code.
  • IE Only: Violates requirement 1: It wraps texts on spaces. Who knows why?
  • It needs to be wrapped in a block element like <div> or <blockquote> otherwise the background is not painted properly.

Let’s try <pre> instead:

for (i=0; i < N; i++) {
          printf("hello world\n");        /* comment should be several spaces away */
}

 

This satisfies all requirements. WordPress does not add <br> tags and does not collapse spaces inside <pre>. Scrollbars appears when needed and no wrapping is taking place. Note that your code should start immediately after the <pre> tag if you don’t want weird empty lines in the top of your nice code.

Here is the magic HTML:

 <pre style="overflow: auto; background: black; color: white; margin-bottom: 0; line-height: 1; white-space: pre; word-wrap: normal;">for (i=0; i &lt; N; i++) {
          printf("hello world\n");        /* comment should be several spaces away */
}</pre>

You can check the other examples by viewing the source (Ctrl+U) in your browser or in your browser’s inspector (F12).

Hope that helps.

Reverse Engineering TrendChip Firmware (ZTE-H108NS).

It all started when I bought a new computer at home for my developer needs. Usually I fall to the other end of the gadget likeness spectrum. Specifically I avoid buying gadget stuff due to the unhealthy amount of time I found myself devoting to their configuration. However this time the conspiracy of things was masterfully executed to the point that I didn’t notice until it was too late (a blog and a github project later).

Actually If I want to be pedantic the first pieces has been fallen into place about 6 months before when my father switched ISP and he ended up with two new modems (ZTE-H108NS). Since I was the one that configured the new connections I preferred to use the existing modems in place. So I ended up with two brand new modems. At the time I thought “Hm? Maybe I should try to optimize my DSL line with a new modem and get rid of my trusty speedtouch 585“. I didn’t realize it then but that was probably the cornerstone that put in motion a series of events.

When finally my new computer arrived it had a feature that my previous 12 year computer was lacking. The might new feature was a working sleep/hibernate implementation. I immediately thought “Cool – I will be now able to hibernate my computer – It will not need to stay up all the time.”. Here is the train of thought:

– But what if I need something when I am away and my computer is turned off?

– Well we should try this thing called WOL (Wake on LAN) – Another new feature for me.

Two weeks later after I have studied in detail all possible permutations of BIOS options, the fine differences between S4, power off and hybrid mode and wandered in forums I finally managed to master the WOL from my LAN.

– So what about the WAN? After all if I could use the LAN I could always switch on my computer by pressing the button – no need for WOL at all.

– Wait! said an inner voice and the only advice I can give to myself from now on to not listen again that particular inner voice. If you are going to teach the modem about WOL maybe you should finally ditch the speedtouch 585. and invest some time to the new ZTE-H108NS modem said the voice.

DSL Line Optimization

So I switched modems – I configured the new modem and went to device status page in order to check on the DSL link speed. It was a gapping 12MBit/s exactly the same with the speedtouch 585. Given that my house is 35 meters away from the OTE (Greek ISP provider) building this is unacceptable. I picked up the phone and called my ISP. 15′ later my modem was syncing in 18MBit/s. Not bad.

Further research suggested the following command line (telnet interface of the modem)

#wan dmt2 set snrmoffset 4096 4096
#wan adsl reset

which happily increased my downlink to 22MBit/s. I thought let’s call it a day on the speed front and let’s concentrate back in the energy footprint front.

WOL over WAN

I was able to send the WOL over the internet with a minor arp tables hack. Specifically I had to map another address, let’s say 192.168.1.254 to the broadcast address.

#arp -s 192.168.1.254 FF:FF:FF:FF:FF:FF

Then on Advanced Setup/NAT/Virtual Server I setup a rule for ports 7-9 that goes to the internal ip address 192.168.1.254 which due to the above arp hack ends up as a broadcast packet waking up my computer. The following command wakes up my computer from anywhere in the world.

$wakeonlan -i `host myhost.mydomain.com | awk '{print $NF;}'` de:ad:ca:fe:be:ef

where myhost.mydomain.com is my Dynamic DNS hostname and de:ad:ca:fe:be:ef is the MAC address of my computer.

Dynamic DNS

The situation now begs the question: If the computer is turned off who is gonna maintain the Dynamic DNS entry up to date? Normally this is a job for the modem router because it has intimate knowledge of the external ip address and its changes. I am already a client of namecheap and I would like to use that provider for DDNS. Of course since the Internet community hasn’t succeed so far to standardize the DDNS updates protocol consequently the ZTE-H108NS modem doesn’t have support for namecheap.

Samba woes

In the meantime my wife had an unusual request. She wanted to print like it was the most natural thing of the world. I responded to the request lightly, full of self confidence. I installed samba and cloned the configuration from the backup of my previous setup. Yep that’s right. I am that good. I have a backup. What could possibly go wrong?

Well for starters my new machine was not visible in the network neighborhood. This took a good 2-3 hours to figure it out and it was a lesson to humility. It turns out that:

  1. The modem DHCP server sets itself as WINS server.
  2. Although nmbd is running the smb.conf in the modem does not enable WINS support. Bummer!
  3. There is no option in the GUI to enable the WINS server
  4. The modem confuses the workgroup name with the NETBIOS and vice versa.

The Decision

At this point insurmountable pressure has been gathered. I needed to hack the modem in order to fix the following itches ^H^H items.

  1. DSL Line setup
  2. Arp table setup for WAN WOL support
  3. Enable the WINS server in smb.conf
  4. namecheap Dynamic DNS support

These problems are not fixable without modifying the root filesystem or uploading custom firmware. Some of them require just a configuration file change but the namecheap Dynamic DNS support requires to modify and rebuild a MIPS executable.

Reverse Engineering -Know your enemy

Let’s try to find some info on this thing. I opened the case and I found these chips:

  • Chassis PCB – BZRD0 V1.0
  • CPU – U100 TrenChip TC3162U-LQ128G
  • SDRAM- EtronTech EM6381165TS-6G
  • SPI Flash – winbond 25Q16BVSIG

Let’s enter the modem via telnet:

$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
 login: admin
Password:
# cat /proc/cpuinfo 
system type             : TrendChip TC3162U SOC
processor               : 0
cpu model               : R3000 V0.1
BogoMIPS                : 330.95
wait instruction        : no
microsecond timers      : no
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available
unaligned accesses      : 187256836
#
# free
              total         used         free       shared      buffers
  Mem:        29196        27936         1260            0         2088
 Swap:            0            0            0
Total:        29196        27936         1260
# ls -l /
drwxr-xr-x    2 17431    10513         389 bin
drwxr-xr-x    4 17431    10513          46 boaroot
drwxr-xr-x    6 17431    10513         535 dev
lrwxrwxrwx    1 17431    10513           8 etc -> /tmp/etc
drwxr-xr-x    4 17431    10513        1507 lib
lrwxrwxrwx    1 17431    10513          11 linuxrc -> bin/busybox
dr-xr-xr-x   64 0        0               0 proc
drwxr-xr-x    2 17431    10513         138 sbin
drwxr-xr-x    7 0        0               0 tmp
drwxr-xr-x    4 17431    10513         107 userfs
drwxr-xr-x    7 17431    10513          67 usr
lrwxrwxrwx    1 17431    10513           8 var -> /tmp/var
# ls /etc/
AppFilter.sh             ipv6_acl.sh              nat_pvc9_0
RT30xxEEPROM.bin         isp0.conf                nat_pvc9_1
UrlFilter.sh             isp1.conf                nat_pvc9_2
Wireless                 isp11.conf               nat_pvc9_3
acl.sh                   l7-protocols             nat_pvc9_4
add_rule_for_dhcp.sh     lanAlias0.conf           nat_pvc9_5
adsl.conf                lan_rip.conf             nat_pvc9_6
adsl.sh                  lanconfig.sh             nat_pvc9_7
autoexec.sh              mac.conf                 ntp.sh
bftpd.conf               nat_pvc0                 passwd
config                   nat_pvc1                 ppp
ddns.conf                nat_pvc10                protocols
defaultWan.conf          nat_pvc10_0              radvd.conf
devInf.conf              nat_pvc10_1              resolv.conf
device_hostindex.conf    nat_pvc10_2              resolv_ipv4.conf
dhcp6c.conf              nat_pvc10_3              resolv_ipv6.conf
dhcp6s.conf              nat_pvc10_4              ripd.conf
dhcpd                    nat_pvc10_5              route6.sh
dnsmasq.conf             nat_pvc10_6              samba
dproxy.conf              nat_pvc10_7              services
ethertypes               nat_pvc2                 shaper
firewall.conf            nat_pvc3                 snmp
fstab                    nat_pvc4                 snmpd.conf.tmp
fwTCver.conf             nat_pvc5                 sysconfig
fwver.conf               nat_pvc6                 system
group                    nat_pvc7                 trx_config
hosts                    nat_pvc8                 udhcp_lease
igd                      nat_pvc8_0               udhcpd.conf
igmpproxy.conf           nat_pvc8_1               udhcpd.fon.conf
inetd.conf               nat_pvc8_2               udhcpd.fon.leases
init.d                   nat_pvc8_3               usb_modeswitch.conf
inittab                  nat_pvc8_4               usb_modeswitch.d
inittab_no_ra_menu       nat_pvc8_5               usb_modeswitch_cfg.conf
inittab_ra_menu          nat_pvc8_6               usertty
iproute2                 nat_pvc8_7               xml
ipupdate.conf            nat_pvc9                 zebra.conf
# ls /userfs/bin/
auto_mount_dongle   hello               ripd
bftpd               igmpproxy           skbmgr
boa                 inetd               smbd
cfg_manager         iwpriv              smbpasswd
chat                mtd                 snmpd
dhcp6c              nmbd                tcapi
dhcp6s              ntfs-3g             tftpd
dhcrelay            ntpclient           tr69
dnsmasq             pppoe-relay         usb_auto_mount
ethphxcmd           radvd               vconfig
ez-ipupdate         restore_linos_info  zebra
# ls /usr/script/
AppFilterStop.sh              ipv6_filter_forward_start.sh
RebootScript                  ipv6_filter_forward_stop.sh
UrlFilterStop.sh              ipv6rd_start.sh
acl_stop.sh                   lanAlias_start.sh
before_tr069_download.sh      lanAlias_stop.sh
before_web_upgrade.sh         nat_start.sh
br_conf.sh                    nat_stop.sh
ddns.sh                       ntpclient.sh
ddns_run.sh                   ppp_start.sh
dhcp6c_script                 restart_boa.sh
dmz.sh                        samba.sh
dongle_dial_off.sh            samba_add_dir.sh
dongle_dial_on.sh             settime.sh
ether_mac.sh                  spi_fw_start.sh
filter_forward_start.sh       spi_fw_stop.sh
filter_forward_stop.sh        udhcpc.sh
fw_start.sh                   udhcpc_nodef.sh
fw_stop.sh                    upgrade_firmware.sh
getnow.sh                     urlfilter_start.sh
ipaddr_mapping.sh             urlfilter_stop.sh
ipfilter.sh                   vserver.sh
ipfilter_start.sh             wan_start.sh
ipfilter_stop.sh              wan_start_ipv4.sh
ipmacfilter_stop.sh           wan_start_ipv6.sh
ipv6_acl_stop.sh              wan_stop.sh
# mount
/dev/mtdblock3 on / type squashfs (ro)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
devpts on /dev/pts type devpts (rw)
usbfs on /proc/bus/usb type usbfs (rw)
# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00010000 00010000 "bootloader"
mtd1: 00010000 00010000 "romfile"
mtd2: 000e9560 00010000 "kernel"
mtd3: 004cf000 00010000 "rootfs"
mtd4: 007a0000 00010000 "tclinux"
mtd5: 00040000 00010000 "reservearea"

Some notes on what’s going on:

  • The CPU is TrendChip 3162U. Looks like there are a lot of products that utilize this CPU and may use the TrendChip firmware.
  • It has 32MB of memory.
  • Looks like it has 16MB of flash.
  • The rootfs is a standard mips uclibc based on busybox.
  • The /etc directory is symlinked to /tmp which is a tmpfs.
  • The /etc directory is created mostly by scripts living at /usr/script directory.
  • The scripts are called by an executable named /userfs/bin/cfg_manager.
  • The WEB GUI lives in /boaroot.
  • The WEB GUI breaks out to cfg_manager via a socket interface. Not so sure about that.
  • USB sticks are mounted under /tmp/mnt/usb1_1 and are automatically exported via samba. Question: Is it possible via a USB hub to mount multiple disks? That would be cool to actually convert a modem to a NAS.
  • The flash is partitioned and looks like that some parts of it map directly to the tclinux.bin firmware image.

Reverse Engineering – binwalk

Let’s start with firmware 1.07 named tclinux.bin. Note the the name tclinux.bin is checked by the firmware during update and it is quite possible that the modem will refuse to update its firmware if the file doesn’t have that name.

#apt-get install binwalk
$binwalk tclinux.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
256 0x100 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3232020 bytes
955744 0xE9560 Squashfs filesystem, little endian, version 3.0, size: 5036741 bytes, 986 inodes, blocksize: 65536 bytes, created: Tue Feb 11 09:50:54 2014

So the first 256 bytes is the header and then something else and much later at 0xE9560 starts a squashfs. Let’s dig a bit more.

$binwalk -e tclinux.bin
$ls _tclinux.bin.extracted/
100 100.7z _100.extracted E9560 E9560.squashfs
$cd _tclinux.bin.extracted
$binwalk 100
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1430825 0x15D529 LZMA compressed data, properties: 0xD0, dictionary size: 131072 bytes, uncompressed size: 277750168 bytes
2646072 0x286038 Linux kernel version "2.6.22.15 (root@mbjsbbcf01) (gcc version 3.4.6) #1 Tue Feb 11 1c version 3.4.6) #1 Tue Feb 11 10:17:49 CST 2014"

So the firmware image looks like this

  • 0-0x100 Header
  • secondary bootloader (Couldn’t figure which was it)
  • Linux kernel + initrd (Not sure which order)
  • 0x09560 squashfs
  • padding to 4K

The header has the following fields

  • 0x00 magic number = 0x32524448
  • 0x04 magic device (or header size – not sure) = 0x100
  • 0x08 tclinux size = actual file size in bytes with header included
  • 0x0C tclinux checsum = CRC – XOR checksum see below how to calculate
  • 0x10 firmware version string = “7.0.1.0\n” in my case
  • 0x30 a newline = “\n”
  • 0x50 squashfs offset = 0x9560 in my case
  • 0x54 squashfs size = size of squashfs size as reported by binwalk 5038080 bytes padded to 4096 (0x1000) sector 5038080 (0x4CE000)
  • 0x5C model string = “3 6035 122 74\n” in my case

The program tcrevenge can be used to check an existing firmware file or calculate the checksum and generate a proper header for a new one.

Question: How to compare the live system with the firmware image?

Answer: We can put a usb stick to the modem (sometime requires reboot with the usb stick inside the jack) and use samba to copy files around.

for i in 0 1 2 3 4 5; do echo cat /dev/mtd$i > /tmp/mnt/usb1_1/p$i; done;

Notes:

  • p0 (partition 0) is 64k has the primary bootloader. Running strings against it is instructive indeed. It includes a minimal web server and it should be (never done it) possible to recover the modem from a bad firmware image. That means it must have the same CRC algorithm with the normal software for uploading firmware. The contents of this partition do not change with a firmware update.
  • p1 is the configuration file as saved by the WEB interface. For some reason it is called romfile.
  • p2 is the secondary bootloader and probably the kernel and some initrd image. The contents of the partition are exact match with the firmware image tclinux.bin (header included) up to the squashfs image as extracted by binwalk above.
  • p3 is the squashfs starting at 0x9560 of the tclinux.bin.
  • p4 holds the tclinux.bin verbatim so the primary bootloader can recover the modem
  • p5 is a reserved partition

Question: is it possible to modify the contents of the root (squashfs) filesystem?

Answer: We will need firmware-mod-kit in order to cope with the unusual LZMA compression and the older version number.

$git clone https://code.google.com/p/firmware-mod-kit/

Follow the instructions and build the firmware-mod-kit utilities. To uncompress and extract the filesystem you will need root user capabilities in order to create the device nodes and other weird files.

$sudo ../firmware-mod-kit/src/squashfs-3.0/unsquashfs-lzma E9560.squashfs

created 731 files
created 115 directories
created 91 symlinks
created 48 devices
created 0 fifos
$ls
E9560.squashfs squashfs-root

After making modifications to the root filesystem. Here is how to pack it up again.

rm E9560.sq; ../firmware-mod-kit/src/squashfs-3.0/mksquashfs-lzma squashfs-root squashfs-root.sq

The file squashfs-root.sq contains the modified squashfs root image.

Now we need to extract the kernel so we can assemble back the modified tclinux.bin. Here is a one line to do it:

$dd if=tclinux.bin.orig of=kernel skip=256 count=`binwalk ../tclinux.bin.orig | awk '/Squash/ {print $1 - 256;}'` bs=1

The tclinux.bin.orig in the above command line is the original firmware image.

The tcrevenge program will output the header and the necessary padding and a nice command line suggestion to create the new tclinux.bin.

$./tcrevenge -k kernel -s squashfs-root.sq -o header -p padding
Creating necessary squashfs paddingfile padding 1352
Magic number: 0x32524448 at 0x00
Magic device: 0x00000100 at 0x04
tclinux.bin size: 5993824 (0x005B7560) at 0x08
tclinux.bin checksum: 0xD4BEA4AA at 0x0C
Firmware version at 0x10: 7.0.1.0
squashfs offset: 955488 (0x000E9460) at 0x50
squashfs size: 5038080 (0x004CE000) at 0x54
Model at 0x5C: 3 6035 122 74
Writing header to header. Create image with
         cat header kernel squashfs-root.sq padding > tclinux.bin
$

Update 29/3/2015 15:30: The disassembly of the MIPS executables that led to the reverse engineering and the C reimplementation of the CRC algorithm in tcrevenge is the subject of another article.

Modifications

Now that we can build a new modified firmware at request let’s proceed with the actual modifications we would like to achieve.

DSL Line setup

That’s an easy one and it does not require firmware changes at all. The configuration file is called romfile.cfg. It is an XML file and has a section named Autoexec.

<Autoexec>
<Entry cmd1="w dmt2 db tlb 2b"
cmd2="wan ghs set multi_number 3 3" cmd3="wan dmt2 set largeD 2"
cmd4="w dmt eoc dyingasp off" cmd5="w dmt2 set lpr off"
cmd6="echo 1 &gt; /proc/tc3162/port_reverse"
cmd7="wan dmt2 set snrmoffset 4096 4096"/>
</Autoexec>

Note the extra cmd7 added by me manually. This is enough to boost modem sync up to 22 MBit/s in my case. I didn’t find any script in /usr/script that generated /etc/autoexec.sh but the  /userfs/bin/cfg_manager matches autoexec. So probably /etc/autoexec.sh is generated by the cfg_manager binary. Here is how /etc/autoexec.sh looks like:

# cat autoexec.sh 
w dmt2 db tlb 2b
wan ghs set multi_number 3 3
wan dmt2 set largeD 2
w dmt eoc dyingasp off
w dmt2 set lpr off
echo 1 > /proc/tc3162/port_reverse
wan dmt2 set snrmoffset 4096 4096

Note that you have to see that inside the modem via telnet since /etc/autoexec.sh is automatically generated on boot time and it is not available in the expanded squashfs partition.

Arp table setup for WAN WOL support

It took a bit of trial and error but finally I managed to guess the correct script to edit. It is not immediately obvious because scripts are being run by the mysterious cfg_manager binary. The right script is /usr/script/nat_start.sh and here is the patch.

diff -ur ../_tclinux.bin.extracted.orig/E9560/usr/script/nat_start.sh E9560/usr/script/nat_start.sh
--- ../_tclinux.bin.extracted.orig/E9560/usr/script/nat_start.sh        2014-02-11 04:50:45.000000000 +0200
+++ E9560/usr/script/nat_start.sh       2015-02-27 20:37:59.908163151 +0200
@@ -62,3 +62,5 @@
 #              /usr/script/ipaddr_mapping.sh add $i $j
 #      fi
 #done
+
+/sbin/arp -s 192.168.1.254 FF:FF:FF:FF:FF:FF

WINS support

This one was easier. The /usr/script/samba.sh is generating the /etc/samba/smb.conf. Here is the patch that enables WINS support.

diff -ur ../_tclinux.bin.extracted.orig/E9560/usr/script/samba.sh E9560/usr/script/samba.sh
--- ../_tclinux.bin.extracted.orig/E9560/usr/script/samba.sh    2015-02-06 23:18:17.953887683 +0200
+++ E9560/usr/script/samba.sh   2015-02-06 22:49:31.920892757 +0200
@@ -17,6 +17,7 @@
 netbios name = $NETBIOS_NAME
 server string = Samba Server
 workgroup = $WORKGROUP
+wins support = yes
 security = user
 guest account = $GUEST
 log file = /var/log.samba

To be continued…

What is missing now is adding support for namecheap DDNS which belongs to another article.