Saturday, August 16, 2014

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting.

While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.


I had already dumped CFE from flash by now so I obviously went to check it out but there was not much to see. So I ran binwalk and it told me CFE contained LZMA compressed data. Ah-ha! Initial bootloader decompresses LZMA part which will contain all the juicy bits.

Yet I couldn't unpack this LZMA blob. It was not total misidentification by binwalk either, clearly compressed data. Maybe it's not LZMA? After some failed attempts I remembered similar problem with Realtek squashsfs couple years ago. Back then problem was due newer LZMA decompressors being incompatible with outdated versions all these WiFi SoC vendors love to use.

I was able to extract Huawei compressed CFE using binary named "lzma_4k" which is part of Asus RT-N56U GPL release. I don't have sources for this so you'll need Linux system capable of running i386 binaries. Compiling old enough LZMA SDK might be enough, lzma_4k identifies itself as "LZMA Utility 4.63 : Igor Pavlov : Public domain : 2008-12-31", but no idea how many patches from Broadcom it contains.

# Find offset of compressed CFE
binwalk 0x000000-0x040000.bootloader 

38132           0x94F4          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 219824 bytes

# Skip beginning
dd if=0x000000-0x040000.bootloader bs=38132 skip=1 of=boot.lzma

# Get compatible lzma binary
wget --no-check-certificate "https://github.com/rrelmy/asus-rt-n56u-firmware/blob/master/src/ctools/lzma_4k?raw=true"

# Unpack
lzma_4k d boot.lzma boot

Quick "strings" on uncompressed boot loader reveals some interesting nvram parameters, namely "console_disable" which we simply set to 0 and like that serial port comes alive with CFE 5.60.120.9.


No comments:

Post a Comment

Got something to say?!