Unpacking Huawei B593u compressed Broadcom CFE bootloader
Sorry, one more B593u post but felt this is worth documenting.
While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.
I had already dumped CFE from flash by now so I obviously went to check it out but there was not much to see. So I ran binwalk and it told me CFE contained LZMA compressed data. Ah-ha! Initial bootloader decompresses LZMA part which will contain all the juicy bits.
Yet I couldn't unpack this LZMA blob. It was not total misidentification by binwalk either, clearly compressed data. Maybe it's not LZMA? After some failed attempts I remembered similar problem with Realtek squashsfs couple years ago. Back then problem was due newer LZMA decompressors being incompatible with outdated versions all these WiFi SoC vendors love to use.
I was able to extract Huawei compressed CFE using binary named "lzma_4k" which is part of Asus RT-N56U GPL release. I don't have sources for this so you'll need Linux system capable of running i386 binaries. Compiling old enough LZMA SDK might be enough, lzma_4k identifies itself as "LZMA Utility 4.63 : Igor Pavlov : Public domain : 2008-12-31", but no idea how many patches from Broadcom it contains.
# Find offset of compressed CFE
binwalk 0x000000-0x040000.bootloader
38132 0x94F4 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 219824 bytes
While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.
I had already dumped CFE from flash by now so I obviously went to check it out but there was not much to see. So I ran binwalk and it told me CFE contained LZMA compressed data. Ah-ha! Initial bootloader decompresses LZMA part which will contain all the juicy bits.
Yet I couldn't unpack this LZMA blob. It was not total misidentification by binwalk either, clearly compressed data. Maybe it's not LZMA? After some failed attempts I remembered similar problem with Realtek squashsfs couple years ago. Back then problem was due newer LZMA decompressors being incompatible with outdated versions all these WiFi SoC vendors love to use.
I was able to extract Huawei compressed CFE using binary named "lzma_4k" which is part of Asus RT-N56U GPL release. I don't have sources for this so you'll need Linux system capable of running i386 binaries. Compiling old enough LZMA SDK might be enough, lzma_4k identifies itself as "LZMA Utility 4.63 : Igor Pavlov : Public domain : 2008-12-31", but no idea how many patches from Broadcom it contains.
# Find offset of compressed CFE
binwalk 0x000000-0x040000.bootloader
38132 0x94F4 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 219824 bytes
# Skip beginning
dd if=0x000000-0x040000.bootloader bs=38132 skip=1 of=boot.lzma
# Get compatible lzma binary
wget --no-check-certificate "https://github.com/rrelmy/asus-rt-n56u-firmware/blob/master/src/ctools/lzma_4k?raw=true"
# Unpack
lzma_4k d boot.lzma boot
Quick "strings" on uncompressed boot loader reveals some interesting nvram parameters, namely "console_disable" which we simply set to 0 and like that serial port comes alive with CFE 5.60.120.9.
Comments
Post a Comment
Got something to say?!