Sagemcom Modem F@st 2764 GV (Power Box GVT) – Hacking #2

Dec 31, 2012   #f2764gv  #firmware  #hacking  #mod  #sagemcom 

Yo! Happy new year! Ainda não podemos dizer se é um tipo de “presente”, mas depois de conversas com pessoas também trabalhando no F2764GV, algumas horas com o dito conectado via JTAG (sim, funciona!) e um pouco de MIPS ASM, acredito que possamos burlar as assinaturas dos firmwares do modem/router e dar início a firmware customs!

Assim que obtiver mais informações concretas, atualizo este post.

F1704, down!

F2764GV, down!?

Stay classy, GVT & SAGEMCOM.

Edit: 02/Jan/13

…anotações:

– Descrição do formato do firmware (image.secure):

  <td>
    <div class="c codecolorer">
      <span class="co1">// big endian</span><br /> <span class="kw4">struct</span> _image_header <span class="br0">&#123;</span><br /> <span class="coMULTI">/* size_until_now */</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> magic<span class="sy0">;</span> &nbsp; &nbsp; <span class="co1">// 0x604c51ea</span><br /> &nbsp; &nbsp; <span class="kw4">char</span> maybe_dsa_stuff<span class="br0">&#91;</span><span class="nu12">0x28</span><span class="br0">&#93;</span><span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> header_crc<span class="sy0">;</span>&nbsp; &nbsp; <span class="co1">// crc32 from offset 0x30 +0x7c (e.g.: on 8388 = 7D F1 77 9C)</span><br /> &nbsp; &nbsp; <span class="kw4">char</span> dunno<span class="br0">&#91;</span><span class="nu0">8</span><span class="br0">&#93;</span><span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">char</span> image_name<span class="br0">&#91;</span><span class="nu12">0x14</span><span class="br0">&#93;</span><span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">char</span> dunno2<span class="br0">&#91;</span><span class="nu12">0x48</span><span class="br0">&#93;</span><span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> header_size<span class="sy0">;</span> &nbsp; <span class="co1">// 0x140</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> data_size<span class="sy0">;</span> <span class="co1">// from header_end</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> zero<span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> zero<span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> zero<span class="sy0">;</span><br /> &nbsp; &nbsp; <span class="kw4">uint32_t</span> zero<span class="sy0">;</span><br /> <span class="coMULTI">/* size_until_now = 0xac */</span><br /> &nbsp; &nbsp; <span class="kw4">char</span> boot_args<span class="br0">&#91;</span>header_size <span class="sy0">-</span> size_until_now<span class="br0">&#93;</span><span class="sy0">;</span><br /> <span class="br0">&#125;</span> __attribute__<span class="br0">&#40;</span><span class="br0">&#40;</span>packed<span class="br0">&#41;</span><span class="br0">&#41;</span><span class="sy0">;</span><br /> <br /> <span class="kw4">char</span> uimage_data<span class="br0">&#91;</span>data_size<span class="br0">&#93;</span><span class="sy0">;</span><br /> <br /> <span class="co1">// total size must be flash sector size aligned (128 KB)</span>
    </div>
  </td>
</tr>

formato geral:

  <td>
    <div class="text codecolorer">
      fw = _image_header + uimage(gzip(vmlinux + cramfs))
    </div>
  </td>
</tr>