November 3, 2011

Tags

Extracting Auerswald COMpact 3000 firmware

I own a COMpact 3000 ISDN telephony switchboard from Auerswald, a german manufacturer. They use a Linux-based firmware and I got interested what's in there.

For firmware updates, you may download a .rom file and upload that to the device. Since this file contains everything except my current settings, it is ideal to study the software.

Firmware extraction

Peeking into the device's firmware is unfortunately not that easy because it's not just a zip or tbz2 file but some custom bootable file. devttys0 has an excellent guide on firmware analysis and extraction - it contains all information I needed to be able to get the COMpact's firmware extracted.

binwalk

binwalk is a tool to analyze firmware files. When trying to get information about a file, use that as first stop. 

$ binwalk comp_3000_v4.0E-000.rom 
DECIMAL  HEX    DESCRIPTION
---------------------------------------------------------------------------------
0        0x0    uImage header, header size: 64 bytes, header CRC: 0x6FE61EE6,
                created: Fri Sep  2 10:26:30 2011, image size: 1278152 bytes,
                Data Address: 0x0, Entry Point: 0x0, data CRC: 0x1F08F346,
                OS: Linux, CPU: Blackfin,
                image type: Multi-File Image, compression type: none,
                image name: 66161
84       0x54   uImage header, header size: 64 bytes, header CRC: 0x9430A345,
                created: Fri Sep  2 10:25:54 2011, image size: 203 bytes,
                Data Address: 0x0, Entry Point: 0x0, data CRC: 0xB0BE90CB,
                OS: Linux, CPU: Blackfin,
                image type: Script file, compression type: none,
                image name: bootscript
352      0x160  uImage header, header size: 64 bytes, header CRC: 0xDC5B5D02,
                created: Fri Aug 26 11:34:33 2011, image size: 1274361 bytes,
                Data Address: 0x1000, Entry Point: 0x242AB8, data CRC: 0xED8F7714,
                OS: Linux, CPU: Blackfin,
                image type: OS Kernel Image, compression type: gzip,
                image name: Linux-2.6.26.5-ADI-2009R1-pre-gd\037\213\010
416      0x1A0  gzip compressed data, from Unix,
                last modified: Fri Aug 26 11:34:32 2011, max compression

There we go! A gzipped data file we can extract: 

$ dd if=comp_3000_v4.0E-000.rom bs=1 skip=416 of=com.gz
26017376+0 Datensätze ein
26017376+0 Datensätze aus
26017376 Bytes (26 MB) kopiert, 51,5588 s, 505 kB/s

$ gunzip com.gz
gzip: com.gz: decompression OK, trailing garbage ignored
$ ls -la
-rw-r--r--  1 cweiske users  2442276 2011-11-02 22:19 com
-rw-r--r--  1 cweiske users 26017376 2011-11-02 22:17 com.gz

Unfortunately, not all of the content was part of the gzipped file - only 2.4MiB got extracted from the 26MiB data block. This is unlikely to be the firmware, since the 23MiB left would be wasted data. binwalk didn't give more information, so I was on my own.

hexdump

All on my own, I used hexdump with some parameters (aliased as hd) to get a human-readable view of the file. In that file, I looked for lines with only a * on it - hexdump uses that to indicate that the last line, often only zeros, was repeated often. This is a sign of a new data block that has been aligned to a certain address. 

 hd
$ less hd
(type "/\*$" there to look for lines with * only)
00137f70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
001ffe60  85 19 01 e0 2b 00 00 00  e6 6e 26 7d 01 00 00 00  |....+....n&}....|
001ffe70  00 00 00 00 02 00 00 00  c9 03 c3 4b 03 04 00 00  |...........K....|
001ffe80  28 e1 be 70 ff 83 66 55  62 69 6e ff 85 19 02 e0  |(..p..fUbin.....|
001ffe90  44 00 00 00 1d fb f7 98  02 00 00 00 01 00 00 00  |D...............|
001ffea0  ed 41 00 00 00 00 00 00  00 00 00 00 c9 03 c3 4b  |.A.............K|
001ffeb0  c9 03 c3 4b c9 03 c3 4b  00 00 00 00 00 00 00 00  |...K...K........|
001ffec0  00 00 00 00 00 00 00 00  00 00 00 00 15 d8 2e cc  |................|
001ffed0  85 19 01 e0 2c 00 00 00  5f 56 f1 e0 01 00 00 00  |....,..._V......|
001ffee0  01 00 00 00 03 00 00 00  96 f7 c2 4b 04 04 00 00  |...........K....|
001ffef0  6a 28 cf 0f 7f 2c b7 8c  64 61 74 61 85 19 02 e0  |j(...,..data....|
001fff00  44 00 00 00 1d fb f7 98  03 00 00 00 01 00 00 00  |D...............|
001fff10  ed 41 00 00 00 00 00 00  00 00 00 00 96 f7 c2 4b  |.A.............K|
001fff20  96 f7 c2 4b 96 f7 c2 4b  00 00 00 00 00 00 00 00  |...K...K........|
001fff30  00 00 00 00 00 00 00 00  00 00 00 00 50 21 16 3b  |............P!.;|
001fff40  85 19 01 e0 2b 00 00 00  e6 6e 26 7d 01 00 00 00  |....+....n&}....|
001fff50  02 00 00 00 04 00 00 00  aa f7 c2 4b 03 04 00 00  |...........K....|
001fff60  9c 0b 2a 1d 17 28 32 ee  64 65 76 ff 85 19 02 e0  |..*..(2.dev.....|
001fff70  44 00 00 00 1d fb f7 98  04 00 00 00 01 00 00 00  |D...............|
001fff80  ed 41 00 00 00 00 00 00  00 00 00 00 aa f7 c2 4b  |.A.............K|
001fff90  aa f7 c2 4b aa f7 c2 4b  00 00 00 00 00 00 00 00  |...K...K........|
001fffa0  00 00 00 00 00 00 00 00  00 00 00 00 cb 2c 21 be  |.............,!.|
001fffb0  85 19 01 e0 2b 00 00 00  e6 6e 26 7d 01 00 00 00  |....+....n&}....|
001fffc0  03 00 00 00 05 00 00 00  1a 93 60 4e 03 04 00 00  |..........`N....|
001fffd0  a6 57 dc 1d db 85 f4 d1  65 74 63 ff 85 19 02 e0  |.W......etc.....|]]>

This looks like a file system: bin, dev, etc and some mysterious data. Let's extract it: 

$ dd if=com.gz bs=1 skip=$((0x001ffe60)) of=filesys
23920640+0 Datensätze ein
23920640+0 Datensätze aus
23920640 Bytes (24 MB) kopiert, 61,8806 s, 387 kB/s
$ file filesys 
filesys: Linux jffs2 filesystem data little endian

Whoo! We found a jffs2 file system that is commonly used on flash devices.

Mounting a jffs2 file system

Unfortunately, this is not as easy as running a simple mount command; you need to do a bit more as the elinux wiki told me: 

$ ls -la .
-rw-r--r--  1 cweiske users  23920640 2011-11-02 22:40 filesys.jffs2
$ sudo modprobe mtdram total_size=23920
(size in kb)
$ sudo modprobe mtdblock
$ sudo modprobe jffs2 
$ sudo dd if=filesys.jffs2 of=/dev/mtdblock0 
46720+0 Datensätze ein
46720+0 Datensätze aus
23920640 Bytes (24 MB) kopiert, 0,159185 s, 150 MB/s
$ mkdir jffs2
$ sudo mount /dev/mtdblock0 /home/cweiske/auerswald-compact/jffs2/ -t jffs2
$ ls jffs2/
bin  data  dev  etc  home  lib  mnt  opt  proc  root  sbin  svn_info.txt  sys
tmp  usr  var

Yep, that's it. Looking around a bit shows us that there is another file system with the static web server files:

Some interesting files seem to be eks, the main web server and dgserverd, the dongle server which verifies the activation codes for additional features.

Written by Christian Weiske.

Comments? Please send an e-mail.