open_Netcenter Forum » HowTo´s » How to unpack and create the firmware

Autor	Thema: How to unpack and create the firmware
geert Ist öfters hier ID # 83	Erstellt am 13. Februar 2007 05:34 (#1) Zitat PN E-Mail Analysis of WD_NetCenter_R1_1_0_0003.wdf ======================================== How to extract the kernel and root filesystem from the firmware. Linux kernel: $ dd if=WD_NetCenter_R1_1_0_0003.wdf of=piggy.gz bs=1 skip=112 count=1158032 Check by gunzipping: $ gunzip piggy.gz Linux version 2.4.20 (root@sun_r_linux) (gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications) Root fs (cramfs): $ dd if=WD_NetCenter_R1_1_0_0003.wdf of=cramfs.img bs=1 skip=1158144 count=6471680 Check with: $ cramfsck -v cramfs.img Tools to get a readable hexadecimal dump: $ od -Ax -w4 -tx1 -tc WD_NetCenter_R1_1_0_0003.wdf $ hexdump -C WD_NetCenter_R1_1_0_0003.wdf structure of firmware file: 7630936 = 7630848 + 84 + 4 BRCM header 84 TRX Format HDR0 28 kernel 1158032 cramfs 6471680 0 padding 1108 = 7630848 CRC32 4 The WD firmware is a trx format firmware prefixed with a BRCM header and a stuck-on CRC32 4 byte overall checksum. The trx header `Magic HDR0' starts at "size of buildinfo" + 8 * 4. The BRCM header looks like this: [all numbers in little-endian (bytes right to left)] BRCM header/buildinfo 000000 42 52 43 4d B R C M BRCM 000004 02 00 00 00 002 \0 \0 \0 2 sections/parts 000008 15 00 00 00 025 \0 \0 \0 21 = TYPE_TAG 00000c 34 00 00 00 4 \0 \0 \0 0x34 = 52 = build info size 000010 00 00 00 00 \0 \0 \0 \0 000014 12 00 00 00 022 \0 \0 \0 18 = TYPE_FLASH section type 000018 00 70 74 00 \0 p t \0 0x747000 = 7630848 part 1 size 00001c 00 00 00 00 \0 \0 \0 \0 000020 31 2e 31 2e 1 . 1 . 1.1. <= buildinfo starts 000024 30 2e 30 30 0 . 0 0 0.00 000028 30 33 0a 42 0 3 \n B 03\nB 00002c 75 69 6c 64 u i l d uild 000030 20 64 61 74 d a t dat 000034 65 3a 20 46 e : F e: F 000038 72 69 20 4f r i O ri O 52 bytes 00003c 63 74 20 32 c t 2 ct 2 000040 31 20 31 32 1 1 2 1 12 000044 3a 33 35 3a : 3 5 : :35: 000048 34 36 20 55 4 6 U 46 U 00004c 54 43 20 32 T C 2 TC 2 000050 30 30 35 0a 0 0 5 \n 005\n <= buildinfo ends TRX format summary: HDR0 header: 7 * 4 = 28 kernel: 1158032 starts at offset 28 cramfs image: 6471680 starts at offset 1158060 (12640 * 512 = 6320k) 0 padding: 1108 starts at offset 7629740 total: 7630848 (14904 * 512 = 7452k) HDR0 header (offsets are relative to start of header) 000054 48 44 52 30 H D R 0 Magic 000058 00 70 74 00 \0 p t \0 0x747000 total length 00005c 6a 92 07 0b j 222 \a \v bit-complement CRC32 of rest 000060 00 00 01 00 \0 \0 001 \0 16-bit flags \| 16-bit version 000064 1c 00 00 00 034 \0 \0 \0 offset 1: 0x1c = 28 header size 000068 ac ab 11 00 ¬ « 021 \0 offset 2: 0x11abac=1158060 00006c 00 00 00 00 \0 \0 \0 \0 offset 3: not used Kernel 000070 1f 8b 08 08 037 213 \b \b start of kernel piggy.gz 000074 4a 28 56 43 J ( V C 000078 02 03 70 69 002 003 p i 00007c 67 67 79 00 g g y \0 size of kernel 1158032 000080 ec 5a 7f 70 ¬ Z 177 p ... 11abf8 66 00 b0 28 f \0 ° ( 11abfc 00 00 00 00 \0 \0 \0 \0 end of kernel piggy.gz Rootfs 11ac00 45 3d cd 28 E = ( start of cramfs rootfs 11ac04 00 c0 62 00 \0 b \0 11ac08 03 00 00 00 003 \0 \0 \0 11ac0c 00 00 00 00 \0 \0 \0 \0 11ac10 43 6f 6d 70 C o m p 11ac14 72 65 73 73 r e s s 11ac18 65 64 20 52 e d R 11ac1c 4f 4d 46 53 O M F S 11ac20 02 09 4a 80 002 \t J 200 11ac24 00 00 00 00 \0 \0 \0 \0 11ac28 aa 15 00 00 ª 025 \0 \0 ... 746b94 d2 00 1c 02 \0 034 002 746b98 04 79 00 00 004 y \0 \0 746b9c 00 00 00 00 \0 \0 \0 \0 * 747054 93 5b 01 96 223 [ 001 226 bit-complement CRC32 over everything previous 747058 7630936 ----------------------- Geert
Beiträge: 23 \| Mitglied seit: Februar 2007 \| IP-Adresse: gespeichert

Autor

Thema: How to unpack and create the firmware

geert
Ist öfters hier

ID # 83

Erstellt am 13. Februar 2007 05:34 (#1)

Zitat

E-Mail


Analysis of WD_NetCenter_R1_1_0_0003.wdf
========================================

How to extract the kernel and root filesystem from the firmware.

Linux kernel: 

$ dd if=WD_NetCenter_R1_1_0_0003.wdf of=piggy.gz bs=1 skip=112 count=1158032

Check by gunzipping:
$ gunzip piggy.gz

Linux version 2.4.20 (root@sun_r_linux)
(gcc version 3.0 20010422 (prerelease) with bcm4710a0 modifications)

Root fs (cramfs): 

$ dd if=WD_NetCenter_R1_1_0_0003.wdf of=cramfs.img bs=1 skip=1158144 count=6471680

Check with:
$ cramfsck -v cramfs.img 

Tools to get a readable hexadecimal dump:

$ od -Ax -w4 -tx1 -tc WD_NetCenter_R1_1_0_0003.wdf

$ hexdump -C WD_NetCenter_R1_1_0_0003.wdf

structure of firmware file:             7630936 = 7630848 + 84 + 4
        BRCM header                          84
                TRX Format HDR0              28
                kernel                  1158032
                cramfs                  6471680
                0 padding                  1108 = 7630848
        CRC32                                 4

The WD firmware is a trx format firmware prefixed with a BRCM header and
a stuck-on CRC32 4 byte overall checksum.
The trx header `Magic HDR0' starts at "size of buildinfo" + 8 * 4.

The BRCM header looks like this:
[all numbers in little-endian (bytes right to left)]

BRCM header/buildinfo
000000 42 52 43 4d         B   R   C   M        BRCM
000004 02 00 00 00       002  \0  \0  \0        2 sections/parts
000008 15 00 00 00       025  \0  \0  \0        21 = TYPE_TAG
00000c 34 00 00 00         4  \0  \0  \0        0x34 = 52 = build info size
000010 00 00 00 00        \0  \0  \0  \0
000014 12 00 00 00       022  \0  \0  \0        18 = TYPE_FLASH section type
000018 00 70 74 00        \0   p   t  \0        0x747000 = 7630848 part 1 size
00001c 00 00 00 00        \0  \0  \0  \0
000020 31 2e 31 2e         1   .   1   .        1.1.    <= buildinfo starts
000024 30 2e 30 30         0   .   0   0        0.00
000028 30 33 0a 42         0   3  \n   B        03\nB
00002c 75 69 6c 64         u   i   l   d        uild
000030 20 64 61 74             d   a   t        dat
000034 65 3a 20 46         e   :       F        e: F
000038 72 69 20 4f         r   i       O        ri O      52 bytes
00003c 63 74 20 32         c   t       2        ct 2
000040 31 20 31 32         1       1   2        1 12
000044 3a 33 35 3a         :   3   5   :        :35:
000048 34 36 20 55         4   6       U        46 U
00004c 54 43 20 32         T   C       2        TC 2
000050 30 30 35 0a         0   0   5  \n        005\n   <= buildinfo ends

TRX format summary:
HDR0 header: 7 * 4 = 28
kernel:         1158032 starts at offset      28
cramfs image:   6471680 starts at offset 1158060 (12640 * 512 = 6320k)
0 padding:         1108 starts at offset 7629740
total:          7630848                          (14904 * 512 = 7452k)

HDR0 header (offsets are relative to start of header)
000054 48 44 52 30         H   D   R   0        Magic
000058 00 70 74 00        \0   p   t  \0        0x747000 total length
00005c 6a 92 07 0b         j 222  \a  \v        bit-complement CRC32 of rest
000060 00 00 01 00        \0  \0 001  \0        16-bit flags | 16-bit version
000064 1c 00 00 00       034  \0  \0  \0        offset 1: 0x1c = 28 header size
000068 ac ab 11 00         ¬   « 021  \0        offset 2: 0x11abac=1158060
00006c 00 00 00 00        \0  \0  \0  \0        offset 3: not used

Kernel
000070 1f 8b 08 08       037 213  \b  \b        start of kernel piggy.gz
000074 4a 28 56 43         J   (   V   C
000078 02 03 70 69       002 003   p   i
00007c 67 67 79 00         g   g   y  \0        size of kernel 1158032
000080 ec 5a 7f 70         ¬   Z 177   p
...
11abf8 66 00 b0 28         f  \0   °   (
11abfc 00 00 00 00        \0  \0  \0  \0        end of kernel piggy.gz

Rootfs
11ac00 45 3d cd 28         E   =      (        start of cramfs rootfs
11ac04 00 c0 62 00        \0      b  \0
11ac08 03 00 00 00       003  \0  \0  \0
11ac0c 00 00 00 00        \0  \0  \0  \0
11ac10 43 6f 6d 70         C   o   m   p
11ac14 72 65 73 73         r   e   s   s
11ac18 65 64 20 52         e   d       R
11ac1c 4f 4d 46 53         O   M   F   S
11ac20 02 09 4a 80       002  \t   J 200
11ac24 00 00 00 00        \0  \0  \0  \0
11ac28 aa 15 00 00         ª 025  \0  \0
...
746b94 d2 00 1c 02           \0 034 002
746b98 04 79 00 00       004   y  \0  \0
746b9c 00 00 00 00        \0  \0  \0  \0
*
747054 93 5b 01 96       223   [ 001 226        bit-complement CRC32
                                                over everything previous
747058                                          7630936

-----------------------
Geert

Beiträge: 23 | Mitglied seit: Februar 2007 | IP-Adresse: gespeichert

| open_Netcenter Web - Infos, Handhabung, Anleitungen | Boardregeln