Reverse Engineering Asked by tehcereal on December 19, 2020
im having trouble to extract a file system of a ZTE zxv10 h201 router. Im a beginner in reverse engineering so I am probably doing something wrong. This is what I have done so far.
I got the admin username and password for the web interface and enabled telnet.
I connected to the router using telnet
BusyBox v1.01 (2012.01.29-08:14+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cat proc/mtd
dev: size erasesize name
mtd0: 00800000 00010000 "whole_flash"
mtd1: 00020000 00010000 "bootloader"
mtd2: 00040000 00010000 "userconfig"
mtd3: 00150000 00010000 "kernel"
mtd4: 00650000 00010000 "filesystem"
#
# help
Built-in commands:
-------------------
. : break cd chdir continue eval exec exit export false hash
help local pwd read readonly return set shift times trap true
type ulimit umask unset wait [ ash brctl busybox cat cp date
df echo free fuser getty hostname ifconfig init insmod kill killall
linuxrc ln login ls lsmod mkdir mknod mount mv passwd ping ps
pwd reboot rm rmdir rmmod setmac sh test tftp top traceroute
umount wget
#
Then I used
# cat /dev/mtdblock4 > /mnt/usb1_1/filesystem
# cat /dev/mtdblock0 > /mnt/usb1_1/whole_flash
To transfer the binary to the usb plugged in the router.
This is what i got with
binwalk whole_flash
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1288 0x508 CFE boot loader
7204 0x1C24 LZMA compressed data, properties: 0x5D, dictionary size: 4194304 bytes, missing uncompressed size
131708 0x2027C Zlib compressed data, compressed
148092 0x2427C Zlib compressed data, compressed
184956 0x2D27C PEM RSA private key
185919 0x2D63F PEM certificate
197244 0x3027C Zlib compressed data, compressed
262780 0x4027C Zlib compressed data, compressed
328316 0x5027C Zlib compressed data, compressed
328640 0x503C0 Zlib compressed data, compressed
328844 0x5048C Zlib compressed data, compressed
.....
346480 0x54970 Zlib compressed data, compressed
346956 0x54B4C Zlib compressed data, compressed
347388 0x54CFC Zlib compressed data, compressed
347820 0x54EAC Zlib compressed data, compressed
348252 0x5505C Zlib compressed data, compressed
348684 0x5520C Zlib compressed data, compressed
393484 0x6010C LZMA compressed data, properties: 0x5D, dictionary size: 4194304 bytes, missing uncompressed size
1769472 0x1B0000 Squashfs filesystem, big endian, version 2.0, size: 5866724 bytes, 638 inodes, blocksize: 65536 bytes, created: Sun Jan 29 09:31:45 2012
Im having issues with the filesystem binary because non of the unsquashfs versions in the firmware modification kit “works” properly for me because all I get is 307,0 kB worth of files.
You should not be using "cat". "cat" was made thinking about printable characters and it is very likely that THAT is your problem. Something might be messed up after "cat", causing the trouble with filesystem recognition.
Use "dd" for reliable byte-by-byte copies.
Answered by DarkLighting on December 19, 2020
I have same device, you can try this busybox which I compiled for that device, just type ./busybox_unstripped dd
in order to use dd
./busybox_unstripped
BusyBox v1.13.4 (2017-03-09 17:30:22 CET) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!
Currently defined functions:
ash, bunzip2, bzcat, cat, cp, cut, date, dd, echo, expr, false, free,
grep, halt, head, hostname, ifconfig, init, ip, kill, killall, klogd,
ln, ls, mkdir, mount, ping, poweroff, ps, reboot, renice, rm, route,
sh, sleep, syslogd, tail, true, umount, wc
I also found firmware on internet for that device which you could download here
Answered by Vido on December 19, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP