I have a DLINK DSL-2750U - HW:V1 and I would like to reverse its frimware. for start I search for a frimware version that could matched with my device I found some image to download. you can also find this image on the DLINK website. this url might help you if you want do it step by step with us.
https://dlinkmea.com/index.php/site/SupportResource
In above url I search for DSL-2750U then I select a proper version for my device for me the lastest version that I could install on my device was H/W Ver. V1/V2 F/W Ver.1.16_ME. you can also could select right version for yourself.
when you downloaded a proper Frimware. carfully follow these steps.
when you decide to reverse engineering a frimeware you should have some tools there is some tools that in follow help us
- binwalk
- mksquash, unsquash
- lzma, lzmainfo, unlzma
- dd ->
installed by default :) - file ->
installed by default :)
to install them please follow these instraction
Install binwalk : Tool library for analyzing binary blobs and executable code
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install binwalkInstall squash tool : Tool to create and append to squashfs filesystems
sudo apt-get install squashfs-toolsInstall lzma : Compression and decompression in the LZMA format - command line utility
sudo apt-get install lzmaI use BinkWalk to check and analysis my downloaded frimware. to do it we could use this below command :
binwalk GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img Note : you might curious about GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img. I want say this was frimware that we download from DLINK website. when you download proper frimware and unzip it you could find inside it a image like GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img
when you use binwalk command you can see result something like this
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5746840 bytes
1800448 0x1B7900 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 4922146 bytes, 1161 inodes, blocksize: 262144 bytes, created: 2016-10-20 00:25:24
in above result we could see we have two part of data that contained inside our GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img file as a binery.
to extract all data like LZMA compressed data and Squashfs filesystem we could use dd command line tool. but why ? because all this data store inside a binery file (.img file).
To extract data from .img file we use dd like this :
dd if=GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img bs=1 skip=1800448 of=sq-filesystemdd command help use to read a binry file and select a partof it then write selected part on the hard disk. in above example we use dd and its options :
- if= this option get binery input file
- bs= this option number of block that we should count ?
- skip= this option indicated how much byte
ddshould skip to start readsquashfs file system. in above exampleddwill skip from0to1800448then it start read data from1800448to end - of= this option help use to write extracted data to a binery file
Note : you should curious about skip=1800448.1800448 is number that binwalk show us in last step. binwalk show us where we should start to read to extract Squashfs filesystem.
when you run above dd command you should have this result :
4923552+0 records in
4923552+0 records out
4923552 bytes (4.9 MB, 4.7 MiB) copied, 18.5036 s, 266 kB/s
and a package of frimware file system same as sq-filesystem. to ensure extracted data work right I check exported file with this below command :
file sq-filesystem
and result should like this below :
sq-filesystem: Squashfs filesystem, little endian, version 1024.0, compressed, 2457640485032820736 bytes, -1996226560 inodes, blocksize: 1024 bytes, created: Thu Oct 1 17:52:24 2099
ok we extract frimware filesystem. sq-filesystem is binery file like GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img to unpack it we need unsquashfs tool that so far in prerequest section we talk about it.
Ok lets unpack this sq-filesystem with unsquashfs :
sudo unsquashfs sq-filesystemif everything was ok result should like somethings :
Parallel unsquashfs: Using 4 processors
1102 inodes (1126 blocks) to write
[============================================================================|] 1126/1126 100%
created 696 files
created 59 directories
created 125 symlinks
created 281 devices
created 0 fifosThen you should have a squashfs-root folder inside your work directory. now you can jump in to it and research about whole file inside it :). you might curious about,web interface file, ftp, ssh, http server, samba ... and another service that runned inside your Modem. you can find all of them inside squashfs-root folder.
but as we know GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img had two parts.
- LZMA compressed data
- Squashfs filesystem
we extracted Squashfs filesystem. but how we could extract part 1 LZMA compressed data from GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img file. this is really good question ?
as we saw we used dd tool. for LZMA compressed data also we use it. this is command that we are use to extract LZMA part from GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img :
dd if=GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img count=1800448 bs=1 of=lzma-data.lzmaabove command is a bit diffrent from lastest command. in this command we use count=1800448 and don't use skip. but why ?
because we need extract lzma part and this part contained from 0 to 1800448. binwalk help us to know how each part contain inside a binary file. binwalk show us first part containd from 0 to 1800448. and second part contained from 1800448 to end.
ok when dd extract lzma part we could check it with file command :
file lizma-data.lzmaand file result is :
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5746840 bytesto extract this file we could use ulzma tools that so far we talk about it. lets extract lzma file with this below command :
unlzma -d -k -f -v lzma-data.lzmawhen unlzma decompress lzma-data.lzma we could check exported data with file command but before we check output file I want expine some unlzma option that we use in above command :
- -d : this option decompress a input file
- -k : keep input file when process completed
- -f : this help forcly export data
- -v : and this option show all task that
unlzmado to decompress file.
now lets check output file :
file lzma-dataand output :
lzma-data: datato check lzma-data exported file I also use binwalk to check this file. because this file also is a binery file that could contained same part. excatly like GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R_update_1.16.img we check lzma-data with binwalk :
binwalk lzma-dataAnd this is result :
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
4333600 0x422020 Linux kernel version 2.6.30
4533248 0x452C00 CRC32 polynomial table, little endian
4545752 0x455CD8 CRC32 polynomial table, big endian
5167416 0x4ED938 Neighborly text, "NeighborSolicitstunnel6 init(): can't add protocol"
5167436 0x4ED94C Neighborly text, "NeighborAdvertisementst add protocol"
5171123 0x4EE7B3 Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"As you can see our lzma-data file separated to multiple part like Linux kernel version 2.6.30 , CRC32 polynomial table and etc.
to extract each part we can use dd tools againe for example if I want extract Linux kernel version 2.6.30 I should use this below command :
dd if=lzma-data bs=1 skip=4333600 count=199648 of=linux-kernel-version-2-6-30and for first CRC32 :
dd if=lzma-data bs=1 skip=4533248 count=12504 of=CRC32-tand so on.