life ideas

December 6, 2006

ramfs

Filed under: Uncategorized — manoftoday @ 7:49 am

Mss Extract Firmware

Decoding MSS firmware v1.2.0

The firmware file for MSS contains actualy two TRX images concated into one file with a special header at the start.

The first TRX image contains kernel and pivot miniroot fs. The seconds TRX image contains only the rootfs that is to written to disk.

The header look like this:

42 52 43 4D     Magic - BRCM
03 00 00 00     0x03 = 3   = Number of sections
15 00 00 00     0x15 = 21  = TYPE_TAG
65 00 00 00     0x65 = 101 = buildinfo.txt size
00 00 00 00
12 00 00 00     0x12 = 18  = TYPE_FLASH
00 B0 18 00     0x18b000 = 1617920 = part1.trx size
00 00 00 00
13 00 00 00     0x13 = 19  = TYPE_DISK
00 B0 59 00     0x59b000 = 5877760 = part2.trx size
00 00 00 00

Section 1 – Buildinfo

00000020                                       46 69 72 6d  |            Firm|
00000030  77 61 72 65 0a 31 2e 32  2e 30 0a 75 6e 6b 6e 6f  |ware.1.2.0.unkno|
00000040  77 6e 0a 42 75 69 6c 64  20 64 61 74 65 3a 20 54  |wn.Build date: T|
00000050  68 75 20 4d 61 72 20 32  34 20 31 39 3a 30 30 3a  |hu Mar 24 19:00:|
00000060  32 32 20 50 53 54 20 32  30 30 35 0a 42 75 69 6c  |22 PST 2005.Buil|
00000070  64 20 62 79 3a 20 72 6f  6f 74 40 6c 6f 63 61 6c  |d by: root@local|
00000080  68 6f 73 74 2e 6c 6f 63  61 6c 64 6f 6d 61 69 6e  |host.localdomain|
00000090  0a                                                |.|

Section 2 – HDR0 (trx formated image) at offset 145 (0×91):

00000091  48 44 52 30 00 b0 18 00  38 e8 51 52 00 00 01 00  |HDR0.°..8èQR....|
000000a1  1c 00 00 00 5c 93 11 00  00 00 00 00              |....\.......|

Kernel is at offset 173 (0xad):

000000ad  1f 8b 08 08 b3 7e 43 42  02 03 70 69 67 67 79 00  |....³~CB..piggy.|
000000bd  ec 7c 0d 74 5c e5 79 e6  3b f7 8e a4              |ì|.t\åyæ;÷.¤|

Mini romfs is at offset 1151981 (0×1193ed):

001193ed  45 3d cd 28 00 00 01 00  00 00 00 00 00 00 00 00  |E=Í(............|
001193fd  43 6f 6d 70 72 65 73 73  65 64 20 52 4f 4d 46 53  |Compressed ROMFS|
0011940d

Section 3 – HDR0 at offset 1618065 (0×18b091):

0018b091  48 44 52 30 00 b0 59 00  cf 28 de 2d 00 00 01 00  |HDR0.°Y.Ï(Þ-....|
0018b0a1  1c 00 00 00 00 00 00 00                           |........|

Main romfs ran from the harddrive at offset 1618093 (0×18b0ad):

0018b0ad  45 3d cd 28 00 00 01 00  00 00 00 00 00 00 00 00  |E=Í(............|
0018b0bd  43 6f 6d 70 72 65 73 73  65 64 20 52 4f 4d 46 53  |Compressed ROMFS|
0018b0cd
Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: