The current post is under construction.
Environment and specs
I analyzed the firmware based on the following environments.
- Manjaro(based on Arch Linux) xfce v18
Firmware package file type analysis and extraction
First of all, we’ll start the analysis by downloading the official distribution from the official site. You can search for the firmware of the router on their official download center. In this case, we’re going to analysis ipTIME a1004ns. However, commonly, I think you can do these steps with other routers from ipTIME in a similar way.
Download the official distribution
You can download the official distribution of a1004ns model from the following link.
- Link to v11.96.2
- Link to v11.96.4 (the newer version was released while I was working)
- Link to the list of the firmware of a1004ns
- Link to the official download center
Check file type
After you downloaded the firmware, you can check the file is binary. Open the terminal to work and simply type the
file command to check if the system can read and recognize the file.
[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ file a1004ns_kr_11_962.bin a1004ns_kr_11_962.bin: u-boot legacy uImage, a1004ns, Linux/MIPS, OS Kernel Image (lzma), 13454708 bytes, Mon Dec 9 04:49:15 2019, Load Address: 0x80000000, Entry Point: 0x8000C150, Header CRC: 0x06A3B348, Data CRC: 0x70235504
Extract the image file
Since our system can recognize the type of firmware, we can use the tool called
binwalk for firmware extraction.
installation and install
binwalk to your system. You need to install python 2.7 or upper version to run the tool. After the installation, run
e flag to extract the image file.
[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ binwalk -e a1004ns_kr_11_962.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 uImage header, header size: 64 bytes, header CRC: 0x6A3B348, created: 2019-12-09 04:49:15, image size: 13454708 bytes, Data Address: 0x80000000, Entry Point: 0x8000C150, data CRC: 0x70235504, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "a1004ns" 64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6679456 bytes 2194868 0x217DB4 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11257056 bytes, 1943 inodes, blocksize: 131072 bytes, created: 2019-12-09 04:49:11
Move your working directory to the extracted folder.
[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ ls _a1004ns_kr_11_962.bin.extracted a1004ns_kr_11_962.bin [seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ cd _a1004ns_kr_11_962.bin.extracted/
squashfs-root folder. This is what you’re searching for. About broken symbolic links, you can ignore it because it is referring to the absolute path. The directories and files which symbolic links referring are may be bonded on the system upgrade process of ipTIME router. So, it won’t be a matter to us.
If you want to modify the UI of router, you can pass following steps modifying logical modules.
Modification of logical modules
binwalk will do almost thing you need. Also, it already extracted the squashfs archive. You’ll see
cgibin folder and find out the extension of ipTIME router management page is
cgi. Yes, you can find a lot of executables.
[seia@Seia-Workspace-SubsystemLinux squashfs-root]$ file etc etc: broken symbolic link to /tmp/etc [seia@Seia-Workspace-SubsystemLinux squashfs-root]$ ls bin default etc lib mnt plugin save sys upgrade-bin var cgibin dev home linuxrc ndbin proc sbin tmp usr [seia@Seia-Workspace-SubsystemLinux squashfs-root]$ cd cgibin/ [seia@Seia-Workspace-SubsystemLinux cgibin]$ ls captcha.cgi info.cgi sys_apply.cgi d.cgi login-cgi timepro.cgi ddns login.cgi upgrade.cgi download.cgi login_handler.cgi wireless_apply.cgi download_easymesh.cgi login_session.cgi wol_apply.cgi download_firewall.cgi m.cgi download_portforward.cgi net_apply.cgi
Check file type
If you find where are the logical modules, you need to check what it is too. Run
file command to check file type.
[seia@Seia-Workspace-SubsystemLinux cgibin]$ file timepro.cgi timepro.cgi: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
Decompiling ELF LSB executables
As you expect, these embedded systems won’t run common web services demon such as PHP.
This section is under construction.
Modification of user interfaces
You can modify the user interface located in
/home/httpd. (I already analyzed the firmware before) This directory contains logical modules too, but nevermind. Let’s test by modifying
./nasconf/basic/lang/kr.js. Give it a small change or you can try other files too.
L7 "S_USB_UNKNOWN" : " 사용하지 않음"
Repackaging firmware extracted by binwalk (experimental, testing)
binwalk is not possible since
binwalk is extractor not the packager. However, by using
binwalk, we could know where is the entry point of the squashfs block inside the binary. In other words, we can merge the modified squashfs block by using
Making new squashfs archive with squashfs-tools
Commonly, people use squashfs-tools to make or to extract squashfs archives. Installation is automated in most Linux distros and you can install it via package manager without any difficulties.
$ pacman -Sy squashfs-tools
Do you remember the compression of the binary was
xz? (On the top of post) Don’t forget to make a new archive compressed with
xz to reduce errors.
[seia@Seia-Workspace-SubsystemLinux _a1004ns_kr_11_962.bin.extracted]$ mksquashfs squashfs-root firmware.squashfs -comp xz Parallel mksquashfs: Using 8 processors Creating 4.0 filesystem on firmware.squashfs, block size 131072. [============================================================================================================/] 1292/1292 100% Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072 compressed data, compressed metadata, compressed fragments, compressed xattrs, compressed ids duplicates are removed Filesystem size 10988.32 Kbytes (10.73 Mbytes) 23.84% of uncompressed filesystem size (46099.54 Kbytes) Inode table size 14318 bytes (13.98 Kbytes) 26.06% of uncompressed inode table size (54948 bytes) Directory table size 14602 bytes (14.26 Kbytes) 41.03% of uncompressed directory table size (35591 bytes) Number of duplicate files found 59 Number of inodes 1640 Number of files 1016 Number of fragments 70 Number of symbolic links 289 Number of device nodes 0 Number of fifo nodes 0 Number of socket nodes 0 Number of directories 335 Number of ids (unique uids + gids) 1 Number of uids 1 seia (1000) Number of gids 1 seia (1000)
Merging archive to binary with
This section is under construction.