Montag, 10. Mai 2010
Netgear EVA9150 firmaware analysis
12:19h
You can get the modified firmware with telnet enabled at:
http://www24.zippyshare.com/v/98762212/file.html
Modifyed firmware info:
-add /etc/init.d/S90telnetd script to bring up telnetd at startup
-add user "admin" with pass "password" to /etc/passwd
Offset analysis from original file:
flashe9k.2.4.091009.68.EU.prod.img
Offset 0x0 -> 0xf Image file checksum "93 AD 3D CE CC 35 1D 4D 02 F7 CA 91 56 56 10 8B"
Offset 0x10 -> 0x763 Versioninformation and Configuration data for Bootloader Stage 1
Offset 0x20026 -> 0x2ea79 Bootloader Stage 2 ??
Offset 0x40026 -> 0x71425 romfs filesystem, version 1, named YAMON_XRPC
Offset 0x80026 -> 0x8dc25 romfs filesystem, version 1, named SPLASH_ROMFS
Offset 0xa0026 -> 0x380825 romfs filesystem, version 1, named KERNEL_ROMFS
Offset 0x3a0026 -> 0x1478025 root filesystem Linux cramfs, little endian version #2
Offset 0x1f00026 -> 0x1f0146a /wdev configfilesystem Linux jffs2 little endian
System: Sigma Designs SMP863x
Debrick information:
http://kb.netgear.com/app/answers/detail/a_id/9801
http://kb.netgear.com/app/answers/detail/a_id/9796
To do any changes in the root file system you have to mount the cramfs
at offset 0xa0026, copy its content, modify it and buid it new by
using mkfs.cramfs. Due to the limitations of cramfs it's not possible
to any changes directly.
To do changes in the /wdev jffs2 filesystem you have to mount it trough
the mtdblock device, copy its content and build it up with mkcramfs.
After pasting the raw fs data at the correct offsets make sure the
image file has a size of 33734844 byte. Delete the first 16 byte (the checksum),
save the file and build a md5 checksum over the whole image file. Edit the image
file and past the correct md5 sum at the beginning of it. Upload
the image file the the EVA9150 by using the FW interface. If you get a
message like "the version is not downgradable" you have a wrong md5 sum.
http://www24.zippyshare.com/v/98762212/file.html
Modifyed firmware info:
-add /etc/init.d/S90telnetd script to bring up telnetd at startup
-add user "admin" with pass "password" to /etc/passwd
Offset analysis from original file:
flashe9k.2.4.091009.68.EU.prod.img
Offset 0x0 -> 0xf Image file checksum "93 AD 3D CE CC 35 1D 4D 02 F7 CA 91 56 56 10 8B"
Offset 0x10 -> 0x763 Versioninformation and Configuration data for Bootloader Stage 1
Offset 0x20026 -> 0x2ea79 Bootloader Stage 2 ??
Offset 0x40026 -> 0x71425 romfs filesystem, version 1, named YAMON_XRPC
Offset 0x80026 -> 0x8dc25 romfs filesystem, version 1, named SPLASH_ROMFS
Offset 0xa0026 -> 0x380825 romfs filesystem, version 1, named KERNEL_ROMFS
Offset 0x3a0026 -> 0x1478025 root filesystem Linux cramfs, little endian version #2
Offset 0x1f00026 -> 0x1f0146a /wdev configfilesystem Linux jffs2 little endian
System: Sigma Designs SMP863x
Debrick information:
http://kb.netgear.com/app/answers/detail/a_id/9801
http://kb.netgear.com/app/answers/detail/a_id/9796
To do any changes in the root file system you have to mount the cramfs
at offset 0xa0026, copy its content, modify it and buid it new by
using mkfs.cramfs. Due to the limitations of cramfs it's not possible
to any changes directly.
To do changes in the /wdev jffs2 filesystem you have to mount it trough
the mtdblock device, copy its content and build it up with mkcramfs.
After pasting the raw fs data at the correct offsets make sure the
image file has a size of 33734844 byte. Delete the first 16 byte (the checksum),
save the file and build a md5 checksum over the whole image file. Edit the image
file and past the correct md5 sum at the beginning of it. Upload
the image file the the EVA9150 by using the FW interface. If you get a
message like "the version is not downgradable" you have a wrong md5 sum.
... link (1 Kommentar) ... comment
Dienstag, 15. Dezember 2009
DFÜ!
21:08h
... link (0 Kommentare) ... comment
Donnerstag, 10. Dezember 2009
Bat For Lashes - Whats a Girl To Do
20:52h
... link (0 Kommentare) ... comment
Mittwoch, 9. Dezember 2009
WTF!?!??!!11
17:25h
... link (0 Kommentare) ... comment
Donnerstag, 3. Dezember 2009
Advent, Advent, der Reichstag brennt
23:52h
... link (0 Kommentare) ... comment
Montag, 30. November 2009
19:08h
... link (0 Kommentare) ... comment
Samstag, 28. November 2009
22:00h
This is a gift it comes with a price
Who is the lamb and who is the knife
Midas is king and he holds me so tight
And turns me to gold in the sunlight
Who is the lamb and who is the knife
Midas is king and he holds me so tight
And turns me to gold in the sunlight
... link (0 Kommentare) ... comment
Donnerstag, 19. November 2009
21:18h
... link (0 Kommentare) ... comment
Freitag, 30. Oktober 2009
02:13h
... link (0 Kommentare) ... comment
00:17h
Eigentlich macht man ja immer alles Falsch, aber zum Schluss hat man dann doch recht...
Güldener Abtsleite, Trockenbeerenspätauslese!
Güldener Abtsleite, Trockenbeerenspätauslese!
... link (0 Kommentare) ... comment
Donnerstag, 29. Oktober 2009
00:32h
... link (1 Kommentar) ... comment
Dienstag, 20. Oktober 2009
20:10h
... link (0 Kommentare) ... comment
18:33h
... link (0 Kommentare) ... comment
Sonntag, 18. Oktober 2009
21:51h
... link (0 Kommentare) ... comment
Montag, 5. Oktober 2009
Let's Play Tetris
18:19h
... link (1 Kommentar) ... comment
Freitag, 2. Oktober 2009
00:36h
... link (0 Kommentare) ... comment
... older stories