tag:blogger.com,1999:blog-3296471108082693838.post1597681476918182468..comments2023-07-12T05:52:08.476-03:00Comments on w00tsec: Firmware Forensics: Diffs, Timelines, ELFs and BackdoorsBernardo Rodrigueshttp://www.blogger.com/profile/09470949514402700579noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-3296471108082693838.post-82594827148545509322015-02-23T00:16:18.215-03:002015-02-23T00:16:18.215-03:00You can use these checks to find the correct proce...You can use these checks to find the correct processor:<br /><br />$ binwalk 3C -A<br /><br />DECIMAL HEXADECIMAL DESCRIPTION<br />--------------------------------------------------------------------------------<br />972 0x3CC MIPSEL instructions, function epilogue<br />1204 0x4B4 MIPSEL instructions, function epilogue<br />1324 0x52C MIPSEL instructions, function epilogue<br />1496 0x5D8 MIPSEL instructions, function epilogue<br />1776 0x6F0 MIPSEL instructions, function epilogue<br />1908 0x774 MIPSEL instructions, function epilogue<br />2056 0x808 MIPSEL instructions, function epilogue<br />2152 0x868 MIPSEL instructions, function epilogue<br />2360 0x938 MIPSEL instructions, function epilogue<br />2576 0xA10 MIPSEL instructions, function epilogue<br />3696 0xE70 MIPSEL instructions, function epilogue<br /><br />$ binwalk 3C --disasm -v<br />Scan Time: 2015-02-23 00:05:57<br />Target File: 3C<br />MD5 Checksum: 3108cdb7f0ab697feff245032b282109<br /><br />DECIMAL HEXADECIMAL DESCRIPTION<br />--------------------------------------------------------------------------------<br />908 0x38C MIPS executable code, 32/64-bit, little endian, at least 699 valid instructions<br />908 0x38C lw $v0, 0x94($sp)<br />912 0x390 j 0x30024c<br />916 0x394 addu $v1, $v1, $v0<br />920 0x398 ori $v0, $v0, 0x1000<br />924 0x39C jalr $v0<br />928 0x3A0 nop<br />(...)<br /><br />Try to disassemble this loader before (in ELF format) -> https://downloads.openwrt.org/barrier_breaker/14.07/brcm47xx/generic/OpenWrt-ImageBuilder-brcm47xx_generic-for-linux-x86_64.tar.bz2<br />Bernardo Rodrigueshttps://www.blogger.com/profile/09470949514402700579noreply@blogger.comtag:blogger.com,1999:blog-3296471108082693838.post-81013039544770271302015-02-22T09:45:24.505-03:002015-02-22T09:45:24.505-03:00I used mipsb processor in IDA to open this file bu...I used mipsb processor in IDA to open this file but IDA couldn't decode the instructions. What is the correct processor type of this ?Anonymoushttps://www.blogger.com/profile/14608060784671632906noreply@blogger.comtag:blogger.com,1999:blog-3296471108082693838.post-73452956782310010332015-02-21T17:19:04.884-02:002015-02-21T17:19:04.884-02:00Binwalk seems to be extracting gzip compressed dat...Binwalk seems to be extracting gzip compressed data automatically, so you don't need to gunzip it:<br /><br />$ binwalk -Me openwrt-wrtsl54gs-squashfs.bin <br /><br />Scan Time: 2015-02-21 17:11:18<br />Target File: openwrt-wrtsl54gs-squashfs.bin<br />MD5 Checksum: 89eb04626aef962d5d15d584c500a7ab<br />Signatures: 328<br /><br />DECIMAL HEXADECIMAL DESCRIPTION<br />--------------------------------------------------------------------------------<br />0 0x0 BIN-Header, board ID: W54U, hardware version: 4702, firmware version: 2.8.8, build date: 2007-02-03<br />32 0x20 TRX firmware header, little endian, image size: 1323008 bytes, CRC32: 0x6CAC483, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x8D8, rootfs offset: 0x7E400<br />60 0x3C gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)<br />2296 0x8F8 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: -1 bytes<br />517152 0x7E420 Squashfs filesystem, little endian, version 2.1, size: 805671 bytes, 269 inodes, blocksize: 65536 bytes, created: 2014-10-29 18:53:25<br /><br />$ binwalk _openwrt-wrtsl54gs-squashfs.bin.extracted/3C <br /><br />DECIMAL HEXADECIMAL DESCRIPTION<br />--------------------------------------------------------------------------------<br /><br /><br />$ hexdump -C -s 0x3C openwrt-wrtsl54gs-squashfs.bin | head<br />0000003c 1f 8b 08 00 00 00 00 00 02 03 a5 56 41 6c 1b 69 |...........VAl.i|<br />0000004c 15 fe fc cf 24 71 d2 b8 4c 1c b7 9a 96 aa 9a bf |....$q..L.......|<br /><br />$ hexdump -C 3C | head<br />00000000 30 80 0a 3c 00 00 44 21 00 80 05 3c 30 11 a5 24 |0..<..D!...<0..$|<br />00000010 00 80 06 3c 78 1e c6 24 00 00 a8 8c 00 00 88 ac |...<x..$........|Bernardo Rodrigueshttps://www.blogger.com/profile/09470949514402700579noreply@blogger.comtag:blogger.com,1999:blog-3296471108082693838.post-22429268843691600632015-02-17T10:23:36.184-02:002015-02-17T10:23:36.184-02:00After extracted, I got these files:
3C 7E420.squa...After extracted, I got these files:<br />3C 7E420.squashfs 8F8 8F8.7z<br /><br />How to use gunzip to decompress 3C file ?Anonymoushttps://www.blogger.com/profile/14608060784671632906noreply@blogger.com