Decompile/disassmble embedded software (bootloaders)

All about firmwares for routers. Support for RouterTech firmwares is here too.
Post Reply
User avatar
rokafeller
Regular
Regular
Posts: 71
Joined: Wed Jul 22, 2009 8:57 pm
Location: Italy

Decompile/disassmble embedded software (bootloaders)

Post by rokafeller » Tue Mar 10, 2015 6:29 pm

Hi all,
as we all know, in home routers/cpe's it happens that bootloaders perform some checks to allow only vendor-approved firmware releases.
Bootloaders are tiny -usually 64 bytes- and often contain meaningful strings about check errors, so it shouldn't be hard to decompile and change the conditional jumps and avoid checks.

I have some basic knowledge about decompiling/disassembling/patching for x86 and would like to try and disassemble these bootloaders.
Architectures is usually MIPS/MIPSEL.

would you have any suggestions about where to start? ie. if you know some tools and or examples out there?

thanks
G.
Running D-Link DSL-G624T, PSP bootloader in place of the original Adam2, RouterTech Firmware v2.97. OpenVPN and port knocking services activated.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Decompile/disassmble embedded software (bootloaders)

Post by mstombs » Tue Mar 10, 2015 8:45 pm

The bootloaders are a bit bigger than 64 bytes! About 1024 times bigger! There is sourcecode available for some adam2, pspboot or Broadcom CFE bootloaders, but individual manufacturers may tweak ram timings or switch chip initialization and sources in GPL releases may not be the ones used! Pretty thankless task, you need to be proficient with JTAG tools or you will make real bricks!

If you start now I'd recommend looking at ARM routers - like mobile phones nextgen routers seem to be switching to ARM cores - which is fascinating for some of us old enough to remember the history of Acorn computers...
User avatar
rokafeller
Regular
Regular
Posts: 71
Joined: Wed Jul 22, 2009 8:57 pm
Location: Italy

Re: Decompile/disassmble embedded software (bootloaders)

Post by rokafeller » Wed Mar 11, 2015 8:32 am

I currently have a working jtag setup (on TI AR7 platform) so I can play around.
About bootloader sizes.. am I missing anything here?
take for example G624T -and that applies to several other boxes as well:

Code: Select all

partition	start	end	size	Name
mtd2	0x90000000	0x90010000	64 KiB	Bootloader
mtd1	0x90010090	0x90091000	~516 KiB	Kernel
mtd0	0x90091000	0x903f0000	3452 KiB	Root filesystem
mtd3	0x903f0000	0x90400000	64 KiB	Configuration
mtd4	0x90010000	0x903f0000	3968 KiB	
mtd2 partition, containing either adam2 or psp bootloader, is 0x10000 bytes = 64KB. I've also seen bootloader images 128KB big but not bigger than this, at least for home cpe's.
According to my knowledge, bootloaders like adam2 or psp shouldn't contain self-decompressing routines, so their real size should be the partition size...
Running D-Link DSL-G624T, PSP bootloader in place of the original Adam2, RouterTech Firmware v2.97. OpenVPN and port knocking services activated.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Decompile/disassmble embedded software (bootloaders)

Post by mstombs » Wed Mar 11, 2015 11:13 am

Your first post missed the "k" in bootloader size! Broadcom CFE are generally bigger, but will always fit into a number of flash erase blocks, for bigger flash chips there will be up to 256kB ones.

There were some adam2 or pspboot sources (possibly incomplete) in Linksys or Acorp GPL releases, not sure about DLink - some of which have specific flash chips which need specific drivers.

How old are your Ti AR7 routers? Routertech firmware has kept them going for years after the original manufacturers abandoned, but not much future in ADSL connections!
Post Reply