Reversing the WRT1. Ns Firmware Obfuscation devtty. S0. It was recently brought to my attention that the firmware updates for the Linksys WRT1. N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The latest firmware update for the WRT1. N didnt give me much to work with Binwalk firmware update analysis. As you can see, there is a small LZMA compressed block of data this turned out to just be the HTML files for the routers web interface. The majority of the firmware image is unidentified and very random. Issuu is a digital publishing platform that makes it simple to publish magazines, catalogs, newspapers, books, and more online. Easily share your publications and get. With nothing else to go on, curiosity got the best of me and I ordered one truly, Amazon Prime is not the best thing to ever happen to my bank account. Hardware Analysis. A first glance at the hardware showed that the WRT1. Launch X431 Diagun Serial Number. N had a Atheros AR7. So. C, a 2. MB SPI flash chip, 3. MB of RAM, and what appeared to be some serial and JTAG headers WRT1. N PCBLooking to get some more insight into the devices boot process, I started with the serial port UART Header. Ive talked about serial ports in detail elsewhere, so I wont dwell on the methods used here. However, with a quick visual inspection and a multimeter it was easy to identify the serial ports pinout as Pin 2 RXPin 3 TXPin 5 Ground. The serial port runs at 1. USB0 1. 15. 20. 0. Miniterm on devtty. USB0 1. 15. 20. 0,8,N,1. Quit Ctrl Menu CtrlT Help CtrlT followed by CtrlH. Wireless Router WG7. G1. 1 LF 8. 8 Loader v. How To Use Atheros Eeprom Tool' title='How To Use Atheros Eeprom Tool' />View and Download Acer Aspire M5481PT service manual online. Acer Aspire M5481T, PT, and TG Notebook Service Guide. Aspire M5481PT Laptop pdf manual download. It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting. The TPLink WR740N is an even lowercost around 2020 retail in 102012 variant of the TPLink WR741ND differing only in the nonremovable antenna. Since the. Whats new in 6. Oct30 1013 Important note Backup before upgrade RouterOS v6. Here is the editable portions of grub. Note You dont need to do this if you use XPEnology Configuration Tool spoilermanual editable portions of grub. Technitium MAC Address Changer TMAC is unable to change MAC address of many wireless network adapters on Windows Vista and above. Its been observed, and I had quite. The database recognizes 1,746,000 software titles and delivers updates for your software including minor upgrades. K6xJNYJZYVmic1uG4YPGSOnlDqi_NpEnPbAnJNjCySXYcu5yY88nP1UyKfQjmacBv98=w1200-h630-p' alt='How To Use Atheros Eeprom Tool' title='How To Use Atheros Eeprom Tool' />Feb 5 2. Arcadyan Technology Corporation. MX2. 5L1. 60. 5D found. Copying boot params. DONE. Press Space Bar 3 times to enter command mode. Flash Checking Passed. Unzipping firmware at 0x. ZIP 3 ZIP 1 done. In centry function. Set GPIO 1. 1 to OUTPUT. Set GPIO 1 to OUTPUT. Set GPIO 0 to OUTPUT. Set GPIO 6 to INPUT. Set GPIO 1. 2 to INPUT. Timer 0 is requested. D5. B0. 4. end 0x. Backup Data from 0x. FFBFC len 5. 83. 39. Backup Data completed. Backup Data verified. INIT Hardware. Startup. INIT System Log Pool startup. INIT MTinitialize. CPU Clock 3. 50. 00. Hz. initUScounter time. UScounter 7. 0. Runtime code version v. System startup. INIT Memory COLOR 0, 1. INIT Memory COLOR 1, 1. INIT Memory COLOR 2, 2. INIT tcpipstartup. Data size 1. 24. Set flash memory layout to Boot Parameters found Bootcode version v. Serial number JUT0. L6. 02. 23. 3. Hardware version 0. A. The firmware looked to have been made by Arcadyan, and the Unzipping firmware message was particularly interesting a bit of Googling turned up this post on reversing Arcadyan firmware obfuscation, though it appears to be different from the obfuscation used by the WRT1. N. The only interaction with the serial port was via the bootloader menu. During bootup you can break into the bootloader menu press the space bar three times when prompted and perform a few actions, like erasing flash and setting board options. Press Space Bar 3 times to enter command mode. Yes, Enter command mode. WG7. 00. 5G1. 1 LF 8. Boot. U Upload to Flash. E Erase Flash. G Run Runtime Code. A Set MAC Address. Set Serial Number. V Set Board Version. H Set Options. P Print Boot Params. I Load ART From TFTP. Set SKU Number. 2 Set PIN Number. Unfortunately, the bootloader doesnt appear to provide any options for dumping the contents of RAM or flash. Although there is a JTAG header on the board, I opted for dumping the flash chip directly since JTAG dumps tend to be slow, and interfacing directly with SPI flash is trivial. Pretty much anything that can speak SPI can be used to read the flash chip I used an FTDI C2. HM cable and the spiflash. FT2. 32. H Future Technology Devices International, Ltd initialized at 1. Reading 2. 09. 71. Verifying. success. The flash chip contains three LZMA compressed blocks and some MIPS code, but the main firmware image is still unknown Flash analysis. The first two blocks of LZMA compressed data are part of an alternate recovery image, and the MIPS code is the bootloader. Besides some footer data, the rest of the flash chip simply contains a verbatim copy of the firmware update file. Bootloader Analysis. The bootloader, besides being responsible for de obfuscating and loading the firmware image into memory, contains some interesting tidbits. Ill skip the boring parts in which I find the bootloaders load address, manually identify standard C functions, resolve jump table offsets, etc, and get to the good stuff. First, very early in the boot process, the bootloader checks to see if the reset button has been pressed. If so, it starts up the TinyETCPIPKernel image, which is the small LZMA compressed recovery image, complete with a web interface Unzipping Tiny Kernel. This is nice to know if you ever end up with a bad firmware update, holding the reset button during boot will allow you to un brick your router. There is also a hidden administrator mode in the bootloaders UART menu Hidden bootloader menu. Entering an option of WG7. G1. 1 LF 8. Boot Enter Administrator Mode U Upload to Flash. E Erase Flash. G Run Runtime Code. M Upload to Memory. R Read from Memory. W Write to Memory. Y Go to Memory. A Set MAC Address. Set Serial Number. Lenovo Shareit Windows 7 there. V Set Board Version. H Set Options. P Print Boot Params. I Load ART From TFTP. Set SKU Number. 2 Set PIN Number. WG7. 00. 5G1. 1 LF 8. Boot. The most interesting part of the bootloader, of course, is the code that loads the obfuscated firmware image into memory. Obfuscation Analysis. De obfuscation is performed by the loados function, which is passed a pointer to the obfuscated image as well as an address where the image should be copied into memory The de obfuscation routine inside loados is not complicated De obfuscation routine. Basically, if the firmware image starts with the bytes 0. Swaps the two 3. 2 byte blocks of data at offsets 0x. Nibble swaps the first 3. Byte swaps each of the adjacent 3. At this point, the data at offset 0x. LZMA header, which is then decompressed. Implementing a de obfuscation tool was trivial, and the WRT1. N firmware can now be de obfuscated and de compressed. FWWRT1. 20. N1. US. Doing block swap. Doing nibble swap. Doing byte swap. Saving data to. Analysis of de obfuscated firmware. The de obfuscation utility can be downloaded here for those interested.