Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Embedded Router Firmware Mystery

Topic created on: August 24, 2011 13:45 CDT by nixscripter .

Hello everyone.

I'm working on a project just as a curiosity: an ancient Linksys router. So ancient that this is before Linux and VXworks.

Here is a little piece that I'm guessing is related to the boot function, based on repeating patterns

http://minus.com/mGhY03TS0

The mystery is what this data actually is:
- Based on repeating patterns, it's not compressed or encrypted
- Though the chip is ARM, it does not seem to be ARM instructions (though it could be a variant I'm not aware of)
- It doesn't seem like a "filesystem" (data layout), because I don't see any of the data matching things later in the file.

Any thoughts?

  igorsk     August 24, 2011 17:10.18 CDT
It's big-endian ARM. "Ex" almost every fourth byte is a dead giveaway.

  nixscripter     August 26, 2011 11:19.32 CDT
You're right. Thanks. I missed that before, because I was using a disassembler that was worthless.

The file seems to be ARM dissassembly, big-endian, raw. If I disassemble the whole thing with the (much better) disassembler, I get some logical regions like:


      88:       e10f0000        mrs     r0, CPSR
      8c:       e38000c0        orr     r0, r0, #192    ; 0xc0
      90:       e129f000        msr     CPSR_fc, r0
      94:       e3a000d2        mov     r0, #210        ; 0xd2
      98:       e169f000        msr     SPSR_fc, r0
      9c:       e59f0388        ldr     r0, [pc, #904]  ; 42c
      a0:       e1a0d000        mov     sp, r0
      a4:       e28f0008        add     r0, pc, #8      ; 0x8
      a8:       e1a0e000        mov     lr, r0
      ac:       e1b0f00e        movs    pc, lr
      b0:       e1a00000        mov r0,r0 (nop)
      b4:       e3a000d1        mov     r0, #209        ; 0xd1
      b8:       e169f000        msr     SPSR_fc, r0


However, there are still two strange regions, one at the top of the file, the other about 0x480 in, which disassemble as branches.


       0:       ea00000a        b       30
       4:       ea00000d        b       40
       8:       ea00001b        b       7c
       c:       ea00000e        b       4c
      10:       ea000010        b       58
      14:       ea000012        b       64
      18:       ea0000db        b       38c
      1c:       ea000013        b       70


And the other:


     490:       ea00000a        b       4c0
     494:       ea00000d        b       4d0
     498:       ea00001b        b       50c
     49c:       ea00000e        b       4dc      
     4a0:       ea000010        b       4e8
     4a4:       ea000012        b       4f4


Nothing jumps to those instructions, so unless it's someone's idea of debug info, it looks to me like garbage (meaning a header that shouldn't be disassembled). But I'm curious as to why it repeats if it is.

I think this might be progress!

  igorsk     August 27, 2011 09:04.31 CDT
That's exception vectors. Read the manual for the chip.

  nixscripter     August 28, 2011 11:01.18 CDT
I suppose now that I've figured that out, it's time for that, isn't it? :-)

Thanks a lot.

Note: Registration is required to post to the forums.

There are 31,040 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit