Hi all,
as we all know, in home routers/cpe's it happens that bootloaders perform some checks to allow only vendor-approved firmware releases.
Bootloaders are tiny -usually 64 bytes- and often contain meaningful strings about check errors, so it shouldn't be hard to decompile and change the conditional jumps and avoid checks.
I have some basic knowledge about decompiling/disassembling/patching for x86 and would like to try and disassemble these bootloaders.
Architectures is usually MIPS/MIPSEL.
would you have any suggestions about where to start? ie. if you know some tools and or examples out there?
thanks
G.
Decompile/disassmble embedded software (bootloaders)
- rokafeller
- Regular
- Posts: 71
- Joined: Wed Jul 22, 2009 8:57 pm
- Location: Italy
Decompile/disassmble embedded software (bootloaders)
Running D-Link DSL-G624T, PSP bootloader in place of the original Adam2, RouterTech Firmware v2.97. OpenVPN and port knocking services activated.
Re: Decompile/disassmble embedded software (bootloaders)
The bootloaders are a bit bigger than 64 bytes! About 1024 times bigger! There is sourcecode available for some adam2, pspboot or Broadcom CFE bootloaders, but individual manufacturers may tweak ram timings or switch chip initialization and sources in GPL releases may not be the ones used! Pretty thankless task, you need to be proficient with JTAG tools or you will make real bricks!
If you start now I'd recommend looking at ARM routers - like mobile phones nextgen routers seem to be switching to ARM cores - which is fascinating for some of us old enough to remember the history of Acorn computers...
If you start now I'd recommend looking at ARM routers - like mobile phones nextgen routers seem to be switching to ARM cores - which is fascinating for some of us old enough to remember the history of Acorn computers...
- rokafeller
- Regular
- Posts: 71
- Joined: Wed Jul 22, 2009 8:57 pm
- Location: Italy
Re: Decompile/disassmble embedded software (bootloaders)
I currently have a working jtag setup (on TI AR7 platform) so I can play around.
About bootloader sizes.. am I missing anything here?
take for example G624T -and that applies to several other boxes as well:
mtd2 partition, containing either adam2 or psp bootloader, is 0x10000 bytes = 64KB. I've also seen bootloader images 128KB big but not bigger than this, at least for home cpe's.
According to my knowledge, bootloaders like adam2 or psp shouldn't contain self-decompressing routines, so their real size should be the partition size...
About bootloader sizes.. am I missing anything here?
take for example G624T -and that applies to several other boxes as well:
Code: Select all
partition start end size Name
mtd2 0x90000000 0x90010000 64 KiB Bootloader
mtd1 0x90010090 0x90091000 ~516 KiB Kernel
mtd0 0x90091000 0x903f0000 3452 KiB Root filesystem
mtd3 0x903f0000 0x90400000 64 KiB Configuration
mtd4 0x90010000 0x903f0000 3968 KiB
According to my knowledge, bootloaders like adam2 or psp shouldn't contain self-decompressing routines, so their real size should be the partition size...
Running D-Link DSL-G624T, PSP bootloader in place of the original Adam2, RouterTech Firmware v2.97. OpenVPN and port knocking services activated.
Re: Decompile/disassmble embedded software (bootloaders)
Your first post missed the "k" in bootloader size! Broadcom CFE are generally bigger, but will always fit into a number of flash erase blocks, for bigger flash chips there will be up to 256kB ones.
There were some adam2 or pspboot sources (possibly incomplete) in Linksys or Acorp GPL releases, not sure about DLink - some of which have specific flash chips which need specific drivers.
How old are your Ti AR7 routers? Routertech firmware has kept them going for years after the original manufacturers abandoned, but not much future in ADSL connections!
There were some adam2 or pspboot sources (possibly incomplete) in Linksys or Acorp GPL releases, not sure about DLink - some of which have specific flash chips which need specific drivers.
How old are your Ti AR7 routers? Routertech firmware has kept them going for years after the original manufacturers abandoned, but not much future in ADSL connections!