0

I have a ROM dump firmware which must be reversed (as a task). Binwalk output:

 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 88 0x58 uImage header, header size: 64 bytes, header CRC: 0x535A17E8, created: 2015-05-13 06:08:01, image size: 1168920 bytes, Data Address: 0x80002000, Entry Point: 0x80006230, data CRC: 0x54A2AE00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Moxa-IW awk series" 152 0x98 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 3392000 bytes 1169108 0x11D6D4 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 5833114 bytes, 806 inodes, blocksize: 131072 bytes, created: 2015-05-13 06:07:57 7005944 0x6AE6F8 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2733378 bytes, 330 inodes, blocksize: 131072 bytes, created: 2015-05-13 06:07:58

After extract data and decompress LZMA, I have binary file "98", binwalk output for it:

 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1866012 0x1C791C Certificate in DER format (x509 v3), header length: 4, sequence length: 4 2169826 0x211BE2 mcrypt 2.5 encrypted data, algorithm: " !0B", keysize: 12290 bytes, mode: "B", 2605176 0x27C078 Linux kernel version "2.6.31--LSDK-WLAN-10.2.85 () #1 PREEMPT Wed May 13 14:00:35 CST 2015 " 2613200 0x27DFD0 gzip compressed data, maximum compression, from Unix, last modified: 2015-05-13 06:00:00 2693056 0x2917C0 CRC32 polynomial table, little endian 2724896 0x299420 CRC32 polynomial table, big endian 3024579 0x2E26C3 Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)" 3391488 0x33C000 ASCII cpio archive (SVR4 with no CRC), file name: "/dev", file name length: "0x00000005", file size: "0x00000000" 3391604 0x33C074 ASCII cpio archive (SVR4 with no CRC), file name: "/dev/console", file name length: "0x0000000D", file size: "0x00000000" 3391728 0x33C0F0 ASCII cpio archive (SVR4 with no CRC), file name: "/root", file name length: "0x00000006", file size: "0x00000000" 3391844 0x33C164 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"

Before offset 1866012 there are some unrecognized data. When I unpack this binary, I get kernel configure file, cpio archive and some binary 1C791C.crt, as I understand it, which contains kernel files. How i can correctly extract bootloader and Linux kernel files? See:

Improve this question
2
  • aren't you supposed to do this "task" yourself? Commented Nov 19, 2017 at 19:50
  • could you download 98.bin in IDA?? Commented Jan 28, 2019 at 8:31

1 Answer 1

Reset to default
3

If you extract this file in the right way, you will get linux root filesystem as it is.(2 types in this case) root FS 1

root FS 2 I don't see any kind of bootloader, the dump seems to be only the root fs and kernel part.

If you open file "98.bin" again with 7zip, it will open again, thats because of this data at the end of file: entropy 98.bin The .cer file you get from binwalk is not real certificate file, is just a coincidence of hex header 0x3082, which is used for certificates, but in this case is just pure code and has not the cert structure.

Improve this answer
2
  • could you describe the "right way" in a bit more detail? Commented Jan 29, 2019 at 9:23
  • @IgorSkochinsky sorry for delay I was really disconnected. The right way seems to be just clicking right button and open with 7zip, very easy task. Commented Apr 25, 2019 at 11:30

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.