Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Embedded Router Firmware Mystery

Topic created on: August 24, 2011 13:45 CDT by nixscripter .

Hello everyone.

I'm working on a project just as a curiosity: an ancient Linksys router. So ancient that this is before Linux and VXworks.

Here is a little piece that I'm guessing is related to the boot function, based on repeating patterns

http://minus.com/mGhY03TS0

The mystery is what this data actually is:
- Based on repeating patterns, it's not compressed or encrypted
- Though the chip is ARM, it does not seem to be ARM instructions (though it could be a variant I'm not aware of)
- It doesn't seem like a "filesystem" (data layout), because I don't see any of the data matching things later in the file.

Any thoughts?

  igorsk     August 24, 2011 17:10.18 CDT
It's big-endian ARM. "Ex" almost every fourth byte is a dead giveaway.

  nixscripter     August 26, 2011 11:19.32 CDT
You're right. Thanks. I missed that before, because I was using a disassembler that was worthless.

The file seems to be ARM dissassembly, big-endian, raw. If I disassemble the whole thing with the (much better) disassembler, I get some logical regions like:


      88:       e10f0000        mrs     r0, CPSR
      8c:       e38000c0        orr     r0, r0, #192    ; 0xc0
      90:       e129f000        msr     CPSR_fc, r0
      94:       e3a000d2        mov     r0, #210        ; 0xd2
      98:       e169f000        msr     SPSR_fc, r0
      9c:       e59f0388        ldr     r0, [pc, #904]  ; 42c
      a0:       e1a0d000        mov     sp, r0
      a4:       e28f0008        add     r0, pc, #8      ; 0x8
      a8:       e1a0e000        mov     lr, r0
      ac:       e1b0f00e        movs    pc, lr
      b0:       e1a00000        mov r0,r0 (nop)
      b4:       e3a000d1        mov     r0, #209        ; 0xd1
      b8:       e169f000        msr     SPSR_fc, r0


However, there are still two strange regions, one at the top of the file, the other about 0x480 in, which disassemble as branches.


       0:       ea00000a        b       30
       4:       ea00000d        b       40
       8:       ea00001b        b       7c
       c:       ea00000e        b       4c
      10:       ea000010        b       58
      14:       ea000012        b       64
      18:       ea0000db        b       38c
      1c:       ea000013        b       70


And the other:


     490:       ea00000a        b       4c0
     494:       ea00000d        b       4d0
     498:       ea00001b        b       50c
     49c:       ea00000e        b       4dc      
     4a0:       ea000010        b       4e8
     4a4:       ea000012        b       4f4


Nothing jumps to those instructions, so unless it's someone's idea of debug info, it looks to me like garbage (meaning a header that shouldn't be disassembled). But I'm curious as to why it repeats if it is.

I think this might be progress!

  igorsk     August 27, 2011 09:04.31 CDT
That's exception vectors. Read the manual for the chip.

  nixscripter     August 28, 2011 11:01.18 CDT
I suppose now that I've figured that out, it's time for that, isn't it? :-)

Thanks a lot.

Note: Registration is required to post to the forums.

There are 31,099 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit