Unpacking Planet Tech. Corp. WNAP-7200 and WNAP-7300 wireless APfirmware
Instructions were tested with Ubuntu 11.04.
Planet WNAP-7300 appears to be same or at least very close to Zcom ZCN-1523H-5-16. Both are based on same Atheros 7240 SoC, 5 GHz only radio and what's most important U-Boot loader on Planet contains ZCN1523-5-16 string. Also flash size and partition layout are identical.
OpenWrt trunk contains support for ZCN-1523H-5-16. Let me know if you try it with WNAP-7300. http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-zcn-1523h-5-16-squashfs-factory.img
WNAP-7300 (Atheros AR71xx): If you're trying to unpack newer firmware version adjust roots offset, 803423 in this example. You can find offset with binwalk. It's first JFFS2 hit you get, in this case "803423 0xC425F JFFS2 filesystem data big endian, JFFS node length: 12".
# Download jffs2dump
apt-get install mtd-utils
mkdir -p /tmp/wnap7300
cd /tmp/wnap7300
# Download + unpack
wget "http://www.planet.com.tw/en/product/images/33964/FW_WNAP7300v2.0.3(PL)4.zip"
unzip "FW_WNAP7300v2.0.3(PL)4.zip"
mv "FW_WNAP7300v2.0.3(PL)4"/* .
# Kernel
dd if="FW_WNAP7300v2.0.3(PL)4.img" bs=96 skip=1 | unlzma -d > kernel
# Rootfs
dd if="FW_WNAP7300v2.0.3(PL)4.img" bs=803423 skip=1 of=foo.tmp
# UPDATE 11/2012: use different offset for latest firmware
# dd if="FW_WNAP-7300_vF3.0.8(PL)2.img" bs=803821 skip=1 of=foo.tmp
jffs2dump -b foo.tmp -e foo # fixes endianess
modprobe loop
modprobe block2mtd
losetup /dev/loop0 /tmp/wnap7300/foo
modprobe mtdblock
echo "/dev/loop0,128KiB" > /sys/module/block2mtd/parameters/block2mtd
mkdir mount
mount -t jffs2 /dev/mtdblock0 /tmp/wnap7300/mount -o ro
# Done.
# Uncompressed kernel in /tmp/wnap7300/kernel and rootfs mounted under /mnt/foo
# Cleanup when you're done
umount /tmp/wnap7300/mount
rmmod block2mtd
losetup -d /dev/loop0
rm -rf /tmp/wnap7300
WNAP-7200 (Ralink RT2880)
# Download + unpackmkdir -p /tmp/wnap7200
cd /tmp/wnap7200
wget "http://www.planet.com.tw/en/product/images/27635/FW_WNAP7200v32000426.zip"
unzip "FW_WNAP7200v32000426.zip"
mv "FW_WNAP7200v32000426" x
mv x/* .
# Kernel + Rootfsdd if="FW_WNAP7200v32000426" bs=64 skip=1 | unlzma -d > kernel.root
# Rootfs
# Got bored here as this is uninteresting platform with RT2880 soc.
# Rootfs is hacked up squashfs as usual. You can dump it with following command and then need to compile compatible unsquashfs tool.
dd if=kernel.root of=root.squashfs bs=2256919 skip=1
Protip: http://www.loohuis-consulting.nl/downloads/compliance-manual.pdf
Planet WNAP-7300 appears to be same or at least very close to Zcom ZCN-1523H-5-16. Both are based on same Atheros 7240 SoC, 5 GHz only radio and what's most important U-Boot loader on Planet contains ZCN1523-5-16 string. Also flash size and partition layout are identical.
OpenWrt trunk contains support for ZCN-1523H-5-16. Let me know if you try it with WNAP-7300. http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-zcn-1523h-5-16-squashfs-factory.img
WNAP-7300 (Atheros AR71xx): If you're trying to unpack newer firmware version adjust roots offset, 803423 in this example. You can find offset with binwalk. It's first JFFS2 hit you get, in this case "803423 0xC425F JFFS2 filesystem data big endian, JFFS node length: 12".
# Download jffs2dump
apt-get install mtd-utils
mkdir -p /tmp/wnap7300
cd /tmp/wnap7300
# Download + unpack
wget "http://www.planet.com.tw/en/product/images/33964/FW_WNAP7300v2.0.3(PL)4.zip"
unzip "FW_WNAP7300v2.0.3(PL)4.zip"
mv "FW_WNAP7300v2.0.3(PL)4"/* .
# Kernel
dd if="FW_WNAP7300v2.0.3(PL)4.img" bs=96 skip=1 | unlzma -d > kernel
# Rootfs
dd if="FW_WNAP7300v2.0.3(PL)4.img" bs=803423 skip=1 of=foo.tmp
# UPDATE 11/2012: use different offset for latest firmware
# dd if="FW_WNAP-7300_vF3.0.8(PL)2.img" bs=803821 skip=1 of=foo.tmp
jffs2dump -b foo.tmp -e foo # fixes endianess
modprobe loop
modprobe block2mtd
losetup /dev/loop0 /tmp/wnap7300/foo
modprobe mtdblock
echo "/dev/loop0,128KiB" > /sys/module/block2mtd/parameters/block2mtd
mkdir mount
mount -t jffs2 /dev/mtdblock0 /tmp/wnap7300/mount -o ro
# Done.
# Uncompressed kernel in /tmp/wnap7300/kernel and rootfs mounted under /mnt/foo
# Cleanup when you're done
umount /tmp/wnap7300/mount
rmmod block2mtd
losetup -d /dev/loop0
rm -rf /tmp/wnap7300
WNAP-7200 (Ralink RT2880)
# Download + unpackmkdir -p /tmp/wnap7200
cd /tmp/wnap7200
wget "http://www.planet.com.tw/en/product/images/27635/FW_WNAP7200v32000426.zip"
unzip "FW_WNAP7200v32000426.zip"
mv "FW_WNAP7200v32000426" x
mv x/* .
# Kernel + Rootfsdd if="FW_WNAP7200v32000426" bs=64 skip=1 | unlzma -d > kernel.root
# Rootfs
# Got bored here as this is uninteresting platform with RT2880 soc.
# Rootfs is hacked up squashfs as usual. You can dump it with following command and then need to compile compatible unsquashfs tool.
dd if=kernel.root of=root.squashfs bs=2256919 skip=1
Protip: http://www.loohuis-consulting.nl/downloads/compliance-manual.pdf
Comments
Post a Comment
Got something to say?!