The current post is under construction.


Environment and specs

I analyzed the firmware based on the following environments.

  • Manjaro(based on Arch Linux) xfce v18

Firmware package file type analysis and extraction

First of all, we’ll start the analysis by downloading the official distribution from the official site. You can search for the firmware of the router on their official download center. In this case, we’re going to analysis ipTIME a1004ns. However, commonly, I think you can do these steps with other routers from ipTIME in a similar way.

Download the official distribution

You can download the official distribution of a1004ns model from the following link.

Check file type

After you downloaded the firmware, you can check the file is binary. Open the terminal to work and simply type the file command to check if the system can read and recognize the file.

[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ file a1004ns_kr_11_962.bin 
a1004ns_kr_11_962.bin: u-boot legacy uImage, a1004ns, Linux/MIPS, OS Kernel Image (lzma), 13454708 bytes, Mon Dec  9 04:49:15 2019, Load Address: 0x80000000, Entry Point: 0x8000C150, Header CRC: 0x06A3B348, Data CRC: 0x70235504

Extract the image file

Since our system can recognize the type of firmware, we can use the tool called binwalk for firmware extraction.

Go to installation and install binwalk to your system. You need to install python 2.7 or upper version to run the tool. After the installation, run binwalk with e flag to extract the image file.

[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ binwalk -e a1004ns_kr_11_962.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x6A3B348, created: 2019-12-09 04:49:15, image size: 13454708 bytes, Data Address: 0x80000000, Entry Point: 0x8000C150, data CRC: 0x70235504, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "a1004ns"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6679456 bytes
2194868       0x217DB4        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 11257056 bytes, 1943 inodes, blocksize: 131072 bytes, created: 2019-12-09 04:49:11

Move your working directory to the extracted folder.

[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ ls
_a1004ns_kr_11_962.bin.extracted  a1004ns_kr_11_962.bin
[seia@Seia-Workspace-SubsystemLinux iptime-firmware-modification]$ cd _a1004ns_kr_11_962.bin.extracted/

You’ll see squashfs-root folder. This is what you’re searching for. About broken symbolic links, you can ignore it because it is referring to the absolute path. The directories and files which symbolic links referring are may be bonded on the system upgrade process of ipTIME router. So, it won’t be a matter to us.

Module modification

If you want to modify the UI of router, you can pass following steps modifying logical modules.

Modification of logical modules

binwalk will do almost thing you need. Also, it already extracted the squashfs archive. You’ll see cgibin folder and find out the extension of ipTIME router management page is cgi. Yes, you can find a lot of executables.

[seia@Seia-Workspace-SubsystemLinux squashfs-root]$ file etc
etc: broken symbolic link to /tmp/etc
[seia@Seia-Workspace-SubsystemLinux squashfs-root]$ ls
bin     default  etc   lib      mnt    plugin  save  sys  upgrade-bin  var
cgibin  dev      home  linuxrc  ndbin  proc    sbin  tmp  usr
[seia@Seia-Workspace-SubsystemLinux squashfs-root]$ cd cgibin/
[seia@Seia-Workspace-SubsystemLinux cgibin]$ ls
captcha.cgi               info.cgi           sys_apply.cgi
d.cgi                     login-cgi          timepro.cgi
ddns                      login.cgi          upgrade.cgi
download.cgi              login_handler.cgi  wireless_apply.cgi
download_easymesh.cgi     login_session.cgi  wol_apply.cgi
download_firewall.cgi     m.cgi
download_portforward.cgi  net_apply.cgi

Check file type

If you find where are the logical modules, you need to check what it is too. Run file command to check file type.

[seia@Seia-Workspace-SubsystemLinux cgibin]$ file timepro.cgi
timepro.cgi: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

Decompiling ELF LSB executables

As you expect, these embedded systems won’t run common web services demon such as PHP.

This section is under construction.

Modification of user interfaces

You can modify the user interface located in /home/httpd. (I already analyzed the firmware before) This directory contains logical modules too, but nevermind. Let’s test by modifying ./nasconf/basic/lang/kr.js. Give it a small change or you can try other files too.

L7    "S_USB_UNKNOWN"		: " 사용하지 않음"

Repackaging firmware extracted by binwalk (experimental, testing)

Repackaging via binwalk is not possible since binwalk is extractor not the packager. However, by using binwalk, we could know where is the entry point of the squashfs block inside the binary. In other words, we can merge the modified squashfs block by using dd command.

Making new squashfs archive with squashfs-tools

Commonly, people use squashfs-tools to make or to extract squashfs archives. Installation is automated in most Linux distros and you can install it via package manager without any difficulties.

$ pacman -Sy squashfs-tools

Do you remember the compression of the binary was xz? (On the top of post) Don’t forget to make a new archive compressed with xz to reduce errors.

[seia@Seia-Workspace-SubsystemLinux _a1004ns_kr_11_962.bin.extracted]$ mksquashfs squashfs-root firmware.squashfs -comp xz
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on firmware.squashfs, block size 131072.
[============================================================================================================/] 1292/1292 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
	compressed data, compressed metadata, compressed fragments,
	compressed xattrs, compressed ids
	duplicates are removed
Filesystem size 10988.32 Kbytes (10.73 Mbytes)
	23.84% of uncompressed filesystem size (46099.54 Kbytes)
Inode table size 14318 bytes (13.98 Kbytes)
	26.06% of uncompressed inode table size (54948 bytes)
Directory table size 14602 bytes (14.26 Kbytes)
	41.03% of uncompressed directory table size (35591 bytes)
Number of duplicate files found 59
Number of inodes 1640
Number of files 1016
Number of fragments 70
Number of symbolic links  289
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 335
Number of ids (unique uids + gids) 1
Number of uids 1
	seia (1000)
Number of gids 1
	seia (1000)

Merging archive to binary with dd command

This section is under construction.