Red54 / firmware-mod-kit

Automatically exported from code.google.com/p/firmware-mod-kit
0 stars 0 forks source link

TRX Header not found #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
# sudo ./extract_firmware.sh ~/Downloads/router_firmware_fullImage.bin ~/kamil/

What is the expected output? What do you see instead?

Expected:

 Firmware Mod Kit (extract) v0.69 beta, (c)2010 Jeremy Collake
 http://www.bitsum.com
 Checking for updates ...
  You have the latest version of this kit.
 LINUX system detected. Compatibility ok.
 Testing file system of /home/user/ ...
 Building tools ...
 Build seems successful.
 Preparing working directory ...
 Removing any previous files ...
 Creating directories ...
 Extracting firmware
! untrx failed, trying splitter3
 Not recognized by splitter3
 Attempting squashfs 3.0 lzma ...
 Firmware appears extracted correctly!

I'm getting:

Firmware Mod Kit (extract) v0.69 beta, (c)2010 Jeremy Collake
 http://www.bitsum.com
 Checking for updates ...
  You have the latest version of this kit.
 LINUX system detected. Compatibility ok.
 Testing file system of /home/user/kamil/ ...
 Building tools ...
 Build seems successful.
 Preparing working directory ...
 Removing any previous files ...
 Creating directories ...
 Extracting firmware
! untrx failed, trying splitter3
 Attempting squashfs 3.0 lzma ...
 Trying 'damn small' variant - used by DD-WRT v24 ...
 Error: filesystem not extracted properly.
  firmware image format not compatible?

What version of the product are you using? On what operating system?
I'm using the latest version of the kit on ubuntu 11.04.

Please provide any additional information below.

# cat extract.log
............
 untrx 0.54 beta - (c)2006-2010 Jeremy Collake
 Opening /home/user/Downloads/router_firmware_fullImage.bin
 read 1972267 bytes
 ERROR trx header not found
 splitter3 0.10 beta - (c)2010 Jeremy Collake
 Opening /home/user/Downloads/router_firmware_fullImage.bin
 read 1972267 bytes
 SQUASHFS magic: 0x68737173
 SQUASHFS version: 512.0
 Found segment type 0x8 Kernel length is fecc
 File system length is 1d1134
 Trailer is 82b bytes
  Writing /home/labris/kamil//image_parts/vmlinuz
    size 65228 from offset 0 ...
 SQUASHFS magic: 0x68737173
 SQUASHFS version: 512.0
  ! WARNING: Unknown squashfs version.
  Writing /home/user/kamil//image_parts/squashfs-lzma-image-x_x
    size 1904948 from offset 65228 ...
  Writing /home/user/kamil//image_parts/hwid.txt
    size 2091 from offset 1970176 ...
  Done!

######################################

Can you please help me with this problem? 

Thanks in advance.

Original issue reported on code.google.com by monsanti...@gmail.com on 7 Sep 2011 at 8:39

GoogleCodeExporter commented 9 years ago
It looks like splitter3 is identifying a false positive SquashFS signature. 
Have you tried using extract-ng.sh instead? It is generally better at locating 
and extracting file systems, but it may run into the same issue.

Can you tell us what firmware you are trying to extract? Or upload the firmware 
image here as an attachment?

Original comment by heffne...@gmail.com on 7 Sep 2011 at 10:35

GoogleCodeExporter commented 9 years ago
Thank you for the reply. I used extract-ng.sh, and it extracted the .bin file 
(with no errors -- at least during the extraction) - image_parts, logs, and 
rootfs folders. But the problem is that for example, if I open the main.html in 
webs folder, it is empty. The sizes of the three folders are 4096bytes. I want 
to extract Airties Air 5021 binary. You can find it in the attachment.

Original comment by monsanti...@gmail.com on 7 Sep 2011 at 1:12

Attachments:

GoogleCodeExporter commented 9 years ago
The folder size of 4096 is the same for every folder on your system; it 
represents the size of the folder itself, not the total size of the folder 
contents.

It appears that the SquashFS image was properly extracted, even though most of 
the files (but not all) don't have any contents. I suspect that the vendor is 
doing something odd with their file system; either these files are place 
holders that get overwritten when the file system is mounted to a ramdisk, or 
they have a customized version of SquashFS.

Is there any GPL code available for this firmware? I didn't see any on the 
vendor's site.

Original comment by heffne...@gmail.com on 7 Sep 2011 at 7:21

GoogleCodeExporter commented 9 years ago
Firstly, the question is if the filesystem is written to the ramdisk, how it 
manages to be mounted again and again after every restart or reset? Secondly, I 
used analyzetag.c (found in openwrt website) to analyze the binary. I have get 
the image results (Header CRC, Image CRC, and etc.). Can it help us to find 
what it is exactly in the .bin?. And finally, if I download and use squashfs as 
filesystem, and the rootfs (taken from the .bin), would it be logical? I mean 
they can't change squashfs, can they (it is read-only I guess.)? ;)

You can find analyzetag.c output:

Broadcom image analyzer - v0.1.0
Copyright (C) 2009 Daniel Dickinson
Tag Version: 6
Signature 1: Broadcom Corporatio
Signature 2: ver. 2.0
Chip ID: 6338
Board ID: 96332CG
Bigendian: true
Image size: 001e171b, 1971995
CFE Address: bfc00000, 3217031168
CFE Length: 0000fdcc, 64972
Flash Root Address: bfc10100, 3217096960
Flash Root Length: 0014f000, 1372160
Flash Kernel Address: bfd5f100, 3218469120
Flash Kernel Length: 0008294f, 534863
Vendor information: 
Image CRC: d7cd6807   [Computed Value: 13cf3ceb]
Rootfs CRC:             [Computed Value: c5b10d67]
Image CRC from sections: d7cd6807   [Computed Value: 13cf3ceb]
Header CRC: 0ce0a955   [Computed Value: 0ce0a955]

Thanks.

Original comment by monsanti...@gmail.com on 8 Sep 2011 at 6:12

GoogleCodeExporter commented 9 years ago
In the case of you need it, below I'll send you the output of "build-ng.sh".

Firmware Mod Kit (build-ng) 0.69 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Building new squashfs file system...
Creating big endian 2.1 filesystem on fmk/new-filesystem.squashfs, block size 
65536.

Big endian filesystem, data block size 65536, compressed data, compressed 
metadata, compressed fragments
Filesystem size 24.41 Kbytes (0.02 Mbytes)
        75.22% of uncompressed filesystem size (32.46 Kbytes)
Inode table size 1108 bytes (1.08 Kbytes)
        16.56% of uncompressed inode table size (6691 bytes)
Directory table size 2883 bytes (2.82 Kbytes)
        66.32% of uncompressed directory table size (4347 bytes)
Number of duplicate files found 156
Number of inodes 384
Number of files 190
Number of fragments 1
Number of symbolic links  52
Number of device nodes 95
Number of fifo nodes 1
Number of socket nodes 0
Number of directories 46
Number of uids 1
        root (0)
Number of gids 0
Remaining free bytes in firmware image: 1878207
Processing 0 header(s) from fmk/new-firmware.bin...
CRC update failed.
Firmware header not supported; firmware checksums may be incorrect. New 
firmware image has been saved to: fmk/new-firmware.bin

The rootfs, image_parts and the logs folders are in the fmk ;)

Original comment by monsanti...@gmail.com on 8 Sep 2011 at 6:47

GoogleCodeExporter commented 9 years ago
This looks like it's possibly using some tweaked broadcom version of lzma. If I 
can find source code, I'll add it in; found a few sources, but nothing that 
seems to work properly with this firmware.

Original comment by heffne...@gmail.com on 9 Sep 2011 at 6:57

GoogleCodeExporter commented 9 years ago
Hi again,

I've found a new tool called AGPF Tools. It has a built-in lzma_unsquash 
function but it seems that it doesn't work either. Maybe you want to try this 
one too. ;)

Original comment by monsanti...@gmail.com on 15 Sep 2011 at 10:31

Attachments:

GoogleCodeExporter commented 9 years ago
Hi, I am having the same issue with dlink firmware,

steven@steven-VirtualBox:~/firmware_mod_kit/firmware-mod-kit-read-only/trunk$ 
sudo ./extract-ng.sh /home/steven/router/dlinkvs ~/router3/
Firmware Mod Kit (build-ng) 0.71 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Scanning firmware...

DECIMAL     HEX         DESCRIPTION
--------------------------------------------------------------------------------
-----------------------
256         0x100       Squashfs filesystem, big endian, version 2.0, size: 
6567884 bytes, 1167 inodes, blocksize: 65536 bytes, created: Mon May  9 
06:49:15 2011

Extracting 256 bytes of  header image at offset 0
Extracting squashfs file system at offset 256
Extracting 160 byte footer from offset 7238290
Extracting squashfs files...
Firmware extraction successful!
Firmware parts can be found in '/home/steven/router3//*'
steven@steven-VirtualBox:~/firmware_mod_kit/firmware-mod-kit-read-only/trunk$ 

when I check the rootfs folder its only 315kb with 1016 files and folders but 
they are all empty with 0 bytes.

the dlinkdvs is a hacked version but I also use original dlink firmware and get 
the same result, its a broadcom router as well.

when i rebuild the firmware without any changes I am getting the same errors, 
as the op mentioned, with header errors.

I tested a tomato firmware to check if I was doing it correctly and extracted 
no problems.

Original comment by mailonen...@gmail.com on 30 Sep 2011 at 4:29

GoogleCodeExporter commented 9 years ago
Can you give a model/version number for the Dlink DVS?

These file extraction issues are usually due to modified compression in the 
SquashFS image.

extract-ng currently only supports TRX and uImage headers which the D-Link does 
not appear to use, so the header errors are expected.

Original comment by heffne...@gmail.com on 30 Sep 2011 at 11:53

GoogleCodeExporter commented 9 years ago
Without further information / source, we likely won't be able to add support 
for this device; leaving issue open in case we get more details later.

Original comment by heffne...@gmail.com on 9 Oct 2011 at 2:55

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
@benaisse:

This is actually a separate issue from the one discussed here. This bug report 
is for an unsupported version of squashfs.

To answer your question though, the firmware image you posted contains a 
bootloader, a gzipped Linux kernel and a squashfs file system. So yes, you can 
extract those items, if that's what you were wondering.

From what I can see, there are no known headers in the firmware image. It may 
use a custom header, or not have any headers at all. But I would *strongly 
recommend against* using the firmware image built by build-ng, it will probably 
brick your router.

Original comment by heffne...@gmail.com on 18 Nov 2011 at 6:13

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I do not know of one, I'm sorry. This is an embedded systems reverse 
engineering question, so perhaps look for boards related to that.

Original comment by jeremy.collake@gmail.com on 21 Nov 2011 at 8:38

GoogleCodeExporter commented 9 years ago
The /src/others/squashfs-hg55x-bin/unsquashfs utility appears to extract this 
squashfs image properly, but there is no corresponding mksquashfs utility. I am 
working on getting a unsquashfs/mksquashfs pair that works with this image (as 
well as many others).

The header is a Broadcom firmware header, and there is an open source utility 
for re-building these images. Will work on integrating this into FMK.

Original comment by heffne...@gmail.com on 10 Jul 2012 at 1:14

GoogleCodeExporter commented 9 years ago

Original comment by jeremy.collake@gmail.com on 5 Apr 2013 at 3:54