Random Noise

cat /dev/random >> /dev/dsp

Extracting firmware for 43660c

leave a comment »

1. Extract the dhd.k0 from the trx firmware
2. Find the array object in the dhd.ko that holds the firmware.

For example we know the wireless chip is a 4366c0. Then find all symbols in the .ko using readelf

~$ readelf -s dhd.ko | grep 4366c0
 218: 00198b6c 4 OBJECT GLOBAL DEFAULT 35 active_cons_4366c0
 227: 00198b40 18 OBJECT GLOBAL DEFAULT 35 dlimagever_4366c0
 247: 00198a94 169 OBJECT GLOBAL DEFAULT 35 dlimagename_4366c0
 347: 00198b68 1 OBJECT GLOBAL DEFAULT 35 dlimagetag_4366c0
 478: 00198b54 20 OBJECT GLOBAL DEFAULT 35 dlimagedate_4366c0
 518: 00198b70 <b>0xe3f38</b> OBJECT GLOBAL DEFAULT 35 dlarray_4366c0
 624: 000022e4 4 OBJECT GLOBAL DEFAULT 46 debug_params_4366c0

 

Note down the size for the array object. Here it is 0xe3f38 hex. Or 933688 bytes in decimal

Now we need to find the beginning offset of the array object in the .ko file. For that we inspect and already available firmware for 4366b. You see the firmware starts with 00 F2 3E B8 04 F2

screenshot-from-2017-02-12-15-39-13

And ends with firmware Id  plus 4 bytes

screenshot-from-2017-02-12-15-41-39

Taking a clue from above. We first try to find 00 F2 3E B8 04 F2 and from that offset extract 933688 bytes as we found out from elfread.

~$ dd if=dhd.ko skip=1906224 ibs=1 count=933688 of=brcmfmac4366c-pcie.bin

Examining the extracted file we can confirm the beginning and end bytes are
00 F2 3E B8 04 F2 and (firmware Id  plus 4 bytes) respectively

Advertisements

Written by Vivek Unune

February 12, 2017 at 8:47 pm

Posted in linux, openwrt

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: