4

after struggling for days I'm asking for help with this problem.

Link to download the firmware.

I dumped a firmware image from an EEPROM Spansion FL128SAIF00 with flashrom and a buspirate via SPI in-system extraction. Binwalk shows the following:

kartone@kartone-VirtualBox:~/project$ binwalk -eM newdump.bin DECIMAL HEXADECIMAL DESCRIPTION ----------------------------------------------------------------------- --------- 65536 0x10000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "63168_FW_TW", ~CRC32 header checksum: 0x1FD327FA, ~CRC32 data checksum: 0xD3CB1AD5 1114112 0x110000 Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 7078804 bytes, 3030 inodes, blocksize: 65536 bytes, created: 2016-03-18 09:53:17 12189696 0xBA0000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "63168_FW_TW", ~CRC32 header checksum: 0x968C91F8, ~CRC32 data checksum: 0x9965CD 13172736 0xC90000 Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 2847848 bytes, 1171 inodes, blocksize: 65536 bytes, created: 2013-12-04 12:31:36

So the extraction shows:

kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ ll -R .: total 9,5M drwxr-xr-x 3 kartone kartone 4,0K dic 12 22:03 . drwxr-xr-x 3 kartone kartone 4,0K dic 12 22:21 .. -rw-r--r-- 1 kartone kartone 6,8M dic 12 22:03 110000.squashfs -rw-r--r-- 1 kartone kartone 2,8M dic 12 22:03 C90000.squashfs drwxr-xr-x 2 kartone kartone 4,0K dic 12 22:03 squashfs-root ./squashfs-root: total 8,0K drwxr-xr-x 2 kartone kartone 4,0K dic 12 22:03 . drwxr-xr-x 3 kartone kartone 4,0K dic 12 22:03 ..

Binwalk is unable to extract those two squashfs filesystem:

kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ binwalk 110000.squashfs DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 7078804 bytes, 3030 inodes, blocksize: 65536 bytes, created: 2016-03-18 09:53:17 kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ binwalk C90000.squashfs DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 2847848 bytes, 1171 inodes, blocksize: 65536 bytes, created: 2013-12-04 12:31:36

So i tried to extract with these utilities (reported from evidence 11000.squashfs but same results of the second file C90000.squashfs) :

kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ unsquashfs -v; unsquashfs 110000.squashfs unsquashfs version 4.3 (2014/05/12) copyright (C) 2014 Phillip Lougher <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Parallel unsquashfs: Using 2 processors lzma uncompress failed with error code 9 read_block: failed to read block @0x6bea07 read_fragment_table: failed to read fragment table index FATAL ERROR:failed to read fragment table kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ sasquatch -v; sasquatch 110000.squashfs unsquashfs version 4.3 (2014/05/12) copyright (C) 2014 Phillip Lougher <[email protected]> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. SquashFS version [4.0] / inode count [3030] suggests a SquashFS image of the same endianess Non-standard SquashFS Magic: shsq Parallel unsquashfs: Using 1 processor Trying to decompress using default gzip decompressor... Trying to decompress with lzma... Trying to decompress with lzma-adaptive... Trying to decompress with lzma-alt... Trying to decompress with lzma-ddwrt... Trying to decompress with lzo... Trying to decompress with xz... read_block: failed to read block @0x6bea07 read_fragment_table: failed to read fragment table index FATAL ERROR:failed to read fragment table

Sadly same results with firmware-mod-kit extracting script:

kartone@kartone-VirtualBox:~/project/_newdump.bin.extracted$ sudo /opt/firmware-mod-kit/unsquashfs_all.sh 110000.squashfs Attempting to extract SquashFS 4.X file system... Skipping squashfs-2.1-r2 (wrong version)... Skipping squashfs-3.0 (wrong version)... Skipping squashfs-3.0-lzma-damn-small-variant (wrong version)... Skipping others/squashfs-2.0-nb4 (wrong version)... Skipping others/squashfs-2.2-r2-7z (wrong version)... Skipping others/squashfs-3.0-e2100 (wrong version)... Skipping others/squashfs-3.2-r2 (wrong version)... Skipping others/squashfs-3.2-r2-lzma (wrong version)... Skipping others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools (wrong version)... Skipping others/squashfs-3.2-r2-hg612-lzma (wrong version)... Skipping others/squashfs-3.2-r2-wnr1000 (wrong version)... Skipping others/squashfs-3.2-r2-rtn12 (wrong version)... Skipping others/squashfs-3.3 (wrong version)... Skipping others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools (wrong version)... Skipping others/squashfs-3.3-grml-lzma/squashfs3.3/squashfs-tools (wrong version)... Skipping others/squashfs-3.4-cisco (wrong version)... Skipping others/squashfs-3.4-nb4 (wrong version)... Skipping others/squashfs-hg55x-bin (wrong version)... File extraction failed!

If useful, magic numbers of the file:

00000000 73 68 73 71 d6 0b 00 00 0d d0 eb 56 00 00 01 00 |shsq.......V....| 00000010 96 00 00 00 01 00 10 00 c0 06 01 00 04 00 00 00 |................| 00000020 af 02 97 59 00 00 00 00 94 03 6c 00 00 00 00 00 |...Y......l.....| 00000030 8c 03 6c 00 00 00 00 00 ff ff ff ff ff ff ff ff |..l.............| 00000040 70 1e 6b 00 00 00 00 00 05 79 6b 00 00 00 00 00 |p.k......yk.....|

Any help will be greatly appreciated. Thanks.

Improve this question
6
  • 1
    are you able to share the firmware image? Commented Dec 12, 2018 at 22:14
  • 1
    Edited: added link to download the firmware dump. Commented Dec 12, 2018 at 22:20
  • 2
    I don't have time to dig into it right now but since the signatures are reported to be non-standard, what you can try is comparing the first 128 bytes or so against the squashfs data in this firmware binary as well compare the byte values with the format specification. Vendors do seem to do odd things with formats from time to time Commented Dec 13, 2018 at 0:44
  • @julian what firmware is this? Seems very similar to this I'm working on Commented Dec 16, 2018 at 21:48
  • It was shared on this site, but I cannot remember in which post, though. I believe it was for a Swisscom router. It may be from this post Commented Dec 17, 2018 at 2:36

1 Answer 1

Reset to default
4

This problem was due to a corrupted dump: it turned out that dumping in-system, in some way, wakes up the main CPU that interfere with the eeprom on the SPI bus. Desoldering the chip and reading with the same tools, managed to give an extractable dump with Binwalk.

Improve this answer
1
  • 1
    It’s great you were able to figure out what was causing the problem. Thanks for posting the answer here Commented Feb 1, 2019 at 16:48

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.