Binwalk extract lzma
Even though the Ralink is off, its connection to the Flash IC may still interfere with our traffic because of multiple design factors in both power circuit and the silicon. Binwalk found the uImage header and decoded it for us. U-Boot uses these headers to identify relevant memory areas. Compression is something we have to deal with before we can make any use of the data. A quick check with strings mainkernel. There are multiple tools that can decompress lzma , such as 7z or xz.
None of those liked mainkernel. SquashFS is a very common filesystem in embedded systems. There are multiple versions and variations, and manufacturers sometimes use custom signatures to make the data harder to locate inside the binary.
Since the filesystem is very common and finding the right configuration is tedious work, somebody may have already written a script to automate the task. Using the intel we have been gathering on the firmware since day 1 we can start looking for potentially interesting binaries:.
As we discussed in Part 3, this memory area is not compressed and contains all pieces of data that need to survive across reboots but be different across devices.
Everything in there seems to be just the curcfg. Just think of what you may be interested in and there has to be a way to find it.
Some more greps that are useful:. It fails, likely my offsets are off, but you get the picture. Squashfs and Cramfs are much easier to extract, and the steps are the same, Happy Hunting! Huge thanks to the author of binwalk and owner of http: He wrote in with some awesome helpful tips for pulling apart the DIR firmware:. So the JFFS2 signatures that you were seeing were just false positive matches. What sticks out to me though is the gzip match in the gzipped data extracted from the firmware image:.
The gzip match has a timestamp that is within one minute of the original gzipped file found in the firmware update image at offset 0x40, so that's a good sign. So basically the file system was built as a compressed CPIO archive, then concatenated with the kernel, then the whole thing was gzipped. Be sure to check out his web site and training!
From Paul's Security Weekly.