Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse/Social Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-18-2011, 08:33 PM
nixscripter nixscripter is offline
Member
 
Join Date: Aug 2011
Posts: 7
Default [SOLVED] What is this? Maybe Code?

I'm not sure if this is the right place to ask, but I'm trying to figure out what this data is. It comes from the firmware of an old Linksys router I'm playing with.

I'm mystified because:
  • It's too patterned to be compressed or encrypted data
  • It's not organized like a block-oriented filesystem
  • It doesn't conform to an executable format I know about, and doesn't disassemble (it's an ARM-based chip)
  • I can't find any specific patterns or any numbers that seem to mean something (e.g. file sizes).

Here's a sample from the beginning. Any clue would be helpful.

Code:
0000000: ea00 000a ea00 000d ea00 001b ea00 000e  ................
0000010: ea00 0010 ea00 0012 ea00 00db ea00 0013  ................
0000020: e402 9700 5742 3235 0000 0000 0000 4e00  ....WB25......N.
0000030: ea00 0014 e1a0 0000 ea00 0012 e1a0 0000  ................
0000040: e1a0 0000 eaff fffb e1a0 0000 e1a0 0000  ................
0000050: eaff fff8 e1a0 0000 e1a0 0000 eaff fff5  ................
0000060: e1a0 0000 e1a0 0000 eaff fff2 e1a0 0000  ................
0000070: e1a0 0000 eaff ffef e1a0 0000 e1a0 0000  ................
0000080: ebff ffec e1a0 0000 e10f 0000 e380 00c0  ................
0000090: e129 f000 e3a0 00d2 e169 f000 e59f 0388  .).......i......
00000a0: e1a0 d000 e28f 0008 e1a0 e000 e1b0 f00e  ................
00000b0: e1a0 0000 e3a0 00d1 e169 f000 e59f 0368  .........i.....h
00000c0: e1a0 d000 e28f 0008 e1a0 e000 e1b0 f00e  ................
00000d0: e1a0 0000 e3a0 00d7 e169 f000 e59f 0348  .........i.....H
00000e0: e1a0 d000 e28f 0008 e1a0 e000 e1b0 f00e  ................
00000f0: e1a0 0000 e3a0 00db e169 f000 e59f 0328  .........i.....(
0000100: e1a0 d000 e28f 0008 e1a0 e000 e1b0 f00e  ................
0000110: e1a0 0000 e3a0 00df e169 f000 e59f 0308  .........i......
0000120: e1a0 d000 e28f 0008 e1a0 e000 e1b0 f00e  ................
0000130: e1a0 0000 ea00 0005 e1a0 0000 a000 4700  ..............G.
0000140: e24f 0e11 e1a0 e000 e1b0 f00e e1a0 0000  .O..............
0000150: e3a0 0020 e1d0 00b0 e350 0000 1a00 0000  ... .....P......
0000160: ea00 0048 e28f 0b01 e280 0ff1 e890 1ffe  ...H............
0000170: e59f 02c8 e880 1ffe e28f 0005 e12f ff10  ............./..
0000180: e1a0 0000 48af 49b0 6001 48b0 49b0 6001  ....H.I.`.H.I.`.
0000190: 48b0 2100 6001 48b0 2100 6001 48af 6001  H.!.`.H.!.`.H.`.
00001a0: 48af 8801 4aaf 4291 d10b 8843 1c5b 8043  H...J.B....C.[.C
00001b0: 48ad 49ae 2200 6002 1d00 1f09 d1fb 1c00  H.I.".`.........
00001c0: e01d 2300 8043 48a8 49a9 4aaa 4baa 6002  ..#..CH.I.J.K.`.
00001d0: 1d00 18d2 1f09 d1fa 48a3 49a5 4aa5 2500  ........H.I.J.%.
00001e0: 6804 4294 d106 6005 1d00 18d2 1f09 d1f7  h.B...`.........
00001f0: 2500 e002 1c00 e7fd 2501 4899 8105 2020  %.......%.H...  
0000200: 8800 499e 4288 d105 1c09 2400 4a97 4d96  ..I.B.....$.J.M.
0000210: e031 1c09 489a 7844 0224 7805 1962 4c99  .1..H.xD.$x..bL.
0000220: 4999 428a dc0d 0292 1c13 2100 7820 1809  I.B.......!.x ..
0000230: 1c64 1e5b d1fa 1c00 20ff 4001 2900 d017  .d.[.... .@.)...
0000240: 1c09 2418 4a91 4d88 4991 6029 1d2d 4991  ..$.J.M.I.`).-I.
0000250: 6029 1d2d 4990 6029 1d2d 4990 6029 1d2d  `).-I.`).-I.`).-
0000260: 498f 6029 1d2d 498f 6029 1d2d e003 1c09  I.`).-I.`).-....
0000270: 4c84 4a8d 4d7c 6821 6029 1d24 1d2d 1f12  L.J.M|h!`).$.-..
0000280: d1f9 a001 4700 1c00 e28f 0b01 e280 0e2d  ....G..........-
0000290: e890 1ffe e59f 01a4 e880 1ffe e28f 0005  ................
00002a0: e12f ff10 e1a0 0000 4d80 2100 4a80 6029  ./......M.!.J.`)
00002b0: 1d2d 1f12 d1fb 4863 497e 6001 4863 4964  .-....HcI~`.HcId
00002c0: 6001 4864 2100 6001 4863 2100 6001 4863  `.Hd!.`.Hc!.`.Hc
00002d0: 6001 4879 4979 6001 4979 6041 4979 6081  `.HyIy`.Iy`AIy`.
00002e0: 4979 60c1 4979 6101 210a 6141 4878 4979  Iy`.Iya.!.aAHxIy
00002f0: 6001 4879 4979 6001 4879 497a 6001 497a  `.HyIy`.HyIz`.Iz
0000300: 6041 487a 497a 6001 487a 6001 487a 2101  `AHzIz`.Hz`.Hz!.
0000310: 6001 487a 2200 497a 5281 2202 4979 5281  `.Hz".IzR.".IyR.
0000320: 2206 2100 5281 2208 4977 5281 220a 4977  ".!.R.".IwR.".Iw
0000330: 5281 220c 4976 5281 221a 2100 5281 2202  R.".IvR.".!.R.".
0000340: 4974 5281 2200 4974 5281 4874 6800 4974  ItR.".ItR.Hth.It
0000350: 1a40 d008 4871 4972 6001 4872 2100 6001  .@..HqIr`.Hr!.`.
0000360: 4871 4972 6001 4972 468d 2000 1c01 1c02  HqIr`.IrF. .....
0000370: 1c03 1c04 1c05 1c06 1c07 4680 4683 4684  ..........F.F.F.
0000380: f04a f912 f000 fb12 1c00 0000 e92d 400f  .J...........-@.
0000390: e28f 0001 e12f ff10 4b66 681b 089b 2b0c  ...../..Kfh...+.
00003a0: d002 1c00 1c00 1c00 200c 4343 4862 181b  ........ .CCHb..
00003b0: 6819 6858 a201 4696 4708 0000 a000 4700  h.hX..F.G.....G.
00003c0: e8bd 400f e25e f004 e1a0 0000 4b5b 6018  ..@..^......K[`.
00003d0: 3010 3110 a300 4718 e10f 3000 e581 3040  0.1...G...0...0@
00003e0: e8c1 7fff e590 3040 e129 f003 e8d0 7fff  ......0@.)......
00003f0: e28f 3001 e12f ff13 46f7 1c00 484f 6800  ..0../..F...HOh.
0000400: 46f7 1c00 484e 6800 46f7 1c00 4845 46f7  F...HNh.F...HEF.
0000410: 1c00 494b 6008 46f7 1c00 484a 6800 46f7  ..IK`.F...HJh.F.
0000420: 1c00 4849 6800 46f7 1c00 0000 000e 0394  ..HIh.F.........
0000430: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000440: 03ff 3010 03ff 0000 87ff ff91 03ff 4008  ..0...........@.
0000450: 003f ffff 03ff 4000 03ff b000 03ff c000  .?....@.........
0000460: 013f ffe0 0000 1234 0100 0000 0010 0000  .?.....4........
0000470: 003f ff00 0001 0203 0404 0404 0000 0100  .?..............
0000480: 0001 0020 0001 0000 0000 0380 0000 ffe8  ... ............

Last edited by nixscripter : 09-09-2011 at 11:42 AM. Reason: Marked as solved
Reply With Quote
  #2  
Old 08-19-2011, 08:02 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Please upload large amounts of data as a file, not posted in the message. Thanks.

Git
Reply With Quote
  #3  
Old 08-19-2011, 08:25 AM
nixscripter nixscripter is offline
Member
 
Join Date: Aug 2011
Posts: 7
Default

You can get the entire firmware image from the manufacturer here:

http://homedownloads.cisco.com/downl...1.45.10_fw.bin

All I am trying to figure out is the structure of this file. The first 1k seems to be a section, based on the fact that the string at the top (first 16 bytes) repeats exactly once. That's why I posted only that much initially.

(P.S. I have not found any detailed examination of this file at all, which is why I'm asking here.)
Reply With Quote
  #4  
Old 08-19-2011, 02:23 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

I'm not *asking* you to upload it, I'm asking you *not* to post just large amounts of data as text when you can upload it as a file.

Git
Moderator
Reply With Quote
  #5  
Old 08-20-2011, 12:08 PM
nixscripter nixscripter is offline
Member
 
Join Date: Aug 2011
Posts: 7
Default

At the risk of being naiive, I can't post attachments according to the Posting Rules of the thread. What do you expect me to do?
Reply With Quote
  #6  
Old 08-20-2011, 05:15 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Upload to a file server and post the link. Posting that much data as text is ridiculous.

Git
Reply With Quote
  #7  
Old 08-21-2011, 11:46 AM
nixscripter nixscripter is offline
Member
 
Join Date: Aug 2011
Posts: 7
Default

Okay then, here it is:

http://minus.com/mGhY03TS0
Reply With Quote
  #8  
Old 08-24-2011, 01:26 PM
Dzeimis Dzeimis is offline
Member
 
Join Date: Aug 2011
Posts: 5
Default

What I found by quickly looking through the file is that it contains router configuration pages stored in plain text. These start at 0x4D1DF.
Reply With Quote
  #9  
Old 08-24-2011, 02:24 PM
nixscripter nixscripter is offline
Member
 
Join Date: Aug 2011
Posts: 7
Default

Indeed. That's what makes me think it's not compressed or encrypted.

But I can't figure out what the structure is -- i.e. how is the data organized? All of the reverse engineering advice I can find (about how firmware appears, noted in the first post) don't seem to apply. That's why I'm mystified.
Reply With Quote
  #10  
Old 08-24-2011, 04:59 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Do you know what type of CPU it is?

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.