timewall / firmware-mod-kit

Automatically exported from code.google.com/p/firmware-mod-kit
0 stars 0 forks source link

Unable to extract URoad-5000 bin image #12

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
URoad-5000 is Ralink SoC wireless AP with only one USB port. It is used to
connect to WiMax dongle and shares the WiMax internet with standard clients.
Interesting part is leaked Ralink SDK, which can be found here:
http://www.filefront.com/user/Borage
The bin image can be downloaded here:
http://www.shinseicorp.com/wimax/URoad-5000_v1450.bin
It seams it uses squashfs-lzma 3.2
Currently the extract process ends like this (from extract.log):
 untrx 0.54 beta - (c)2006 Jeremy Collake
 Opening /home/alex/Desktop/URoad-5000_v1450.bin
 read 3891216 bytes
 ERROR trx header not found

Original issue reported on code.google.com by alex%sta...@gtempaccount.com on 14 May 2010 at 5:02

GoogleCodeExporter commented 9 years ago
Hm, of course, the bin image is AES encrypted... Will do some more research and 
will
post here (if someone is reading and interested;)

Original comment by alex%sta...@gtempaccount.com on 15 May 2010 at 11:20

GoogleCodeExporter commented 9 years ago
any news?

Original comment by diogo.al...@gmail.com on 16 Jun 2010 at 2:54

GoogleCodeExporter commented 9 years ago
The decryption key is in upload.cgi, which handles firmware uploads, decrypts 
the image and flashes it with mtd_write.
If we find some time will rite decryption tool.
In the meantime, you can do the following trick: root the box (it has command 
execution asp in html comments, succeed to add another root user in 
/etc/passwd) and replace /bin/mtd_write with sh script, which will send you via 
tftp the 4th (if I remember correctly) parameter, which is already decrypted 
file. The "flash" the box.
Slick:)

Original comment by alexsta...@gmail.com on 16 Jun 2010 at 3:50

GoogleCodeExporter commented 9 years ago
I have the same problem with modifying dir615c1-factory-to-ddwrt-firmware.bin.
The bin image can be found here 
http://www.dd-wrt.com/routerdb/de/download/D-Link/DIR-615/C2/dir615c1-factory-to
-ddwrt-firmware.bin/3235
Here is the end of extract.log:
-----------------------------------------------
 untrx 0.48 beta - (c)2006 Jeremy Collake
 Opening dir615c1-factory-to-ddwrt-firmware.bin
 read 3665944 bytes
 ERROR trx header not found
-----------------------------------------------
I`ve tried to find upload.cgi, as it was advised in comment 3, but failed. Can 
you help me?

Original comment by darthu...@gmail.com on 22 Jul 2010 at 9:56

GoogleCodeExporter commented 9 years ago
upload.cgi is build especially for URoad-5000, so you will not find in other 
images

Original comment by alex%sta...@gtempaccount.com on 29 Jul 2010 at 7:50

GoogleCodeExporter commented 9 years ago
Excellent work! But FMK can't do much with encrypted firmware unfortunately. :(

Original comment by heffne...@gmail.com on 29 Aug 2011 at 11:59