Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: New: CFE Password Generator, Firmware Header Editor (Invalid Model ID)  (Read 5273 times)

Iam_TJ

  • Member
  • **
  • Posts: 23

I've just published two new tools for working with Broadcom CFE based devices. They are executable programs written in C, developed and tested only on Linux but ought to be cross-platform since there are no external dependencies besides the C standard library.

1. CFE Password Generator (cfe_pass_gen) - generate password without requiring "ATSE <model>" on device
2. Firmware Header Editor (fwheaditor) - alter the Model ID and CRC32 of firmware update files

fwheaditor is very useful for allowing 'Invalid Model ID' firmware updates to be uploaded via the router web interface such as with Eircom F1000 (model ID 6009) accepting generic Zyxel (model ID 6006) firmware images.

The source-code for both tools is published in my git repositories at:

https://iam.tj/gitweb/?p=cfe_generate_password.git;a=summary
https://iam.tj/gitweb/?p=firmware_header_edit.git;a=summary

Example Usage
Provided the router device and PC clocks are accurate this command will generate a password for the 'ATEN' (or 'sys aten') device engineering access without requiring the use of 'ATSE' (seed generation) on the device:
Code: [Select]
$  cfe_generate_password/cfe_gen_pass -p -s ec:43:f6:46:c0:80
MAC address: ec:43:f6:46:c0:80 Timestamp: 00000000 (1970-01-01 00:00:00) Seed: 00000046c080 Password: 10f0a563

fwheaditor includes a testsuite (currently being developed) which has a test header. This example uses that in simulation (no file writes) mode to simulate altering a generic Zyxel firmware file to use the Eircom Model ID so it can be uploaded and flashed via the router's web interface:
Code: [Select]
$ firmware_header_edit/fwheaditor -s -w -i 6009 firmware_header_edit/testsuite/header_test.bin
Broadcom Consumer Router Firmware Header Editor
Version: 1.20
Copyright 2015-2016 TJ <hacker@iam.tj>
Licensed on the terms of the GNU General Public License version 3

In-place editing of header
Simulation mode; no file writes
Current      Manufacturer: MSTC_6006 Model: 6006 CRC32: 93d525bf Length: 236 File: firmware_header_edit/testsuite/header_test.bin
Calculated   Manufacturer: MSTC_6009 Model: 6009 CRC32: 639e7e4b Length: 236 File: firmware_header_edit/testsuite/header_test.bin
Written      Manufacturer: MSTC_6009 Model: 6009 CRC32: 639e7e4b Length: 236 File: firmware_header_edit/testsuite/header_test.bin
Manufacturer ID does match 'MSTC'

Get The Source
Code: [Select]
git clone git://iam.tj/cfe_generate_password.git
git clone git://iam.tj/firmware_header_edit.git

Build the executables
Change into each directory in turn and run 'make':
Code: [Select]
cd cfe_generate_password
make

cd ..

cd firmware_header_edit
make

cd ..

Documentation
Both tools contain extensive documentation on usage which is also displayed using the '-h' option.

cfe_gen_pass
Code: [Select]
cfe_generate_password/cfe_pass_gen -h

Generate Broadcom CFE seeds and passwords for many popular modem/router devices
Version: 1.30
Copyright 2015 TJ <hacker@iam.tj>
Licenced on the terms of the GNU General Public Licence version 3

Usage:
  -s 00:01:02:03:04:05 create seed from MAC address
  -t [00000000]        seconds since 1970-01-01 (defaults to NOW)
  -p [SEED]            generate password (with optional seed)
  -h                   show additional help

This tool can generate passwords for use with many devices that contain Broadcom Common Firmware Environment (CFE) bootbase which has a debug mode that is ena
bled using the 'ATEN 1 XXXXXXXX' command, where XXXXXXXX is an eight digit hexadecimal 'password'.

It is NOT necessary to have the device generate a 'seed' using 'ATSE [MODEL-ID]' because this tool can generate the seed from the device's first (base) MAC ad
dress.

When the device generates a seed it combines the number of seconds since 1970-01-01 00:00:00 with the router MAC address. Both are encoded in a single 6-byte
hexadecimal number

Each value is truncated to its 3 least significant bytes so, for example:

 $ date +%F.%T; echo "obase=16;$(date +%s)" | bc
 2016-03-26.23:06:32
 56F715F8

and MAC Address: EC:43:F6:46:C0:80

becomes F715F8 concatenated with 46C080

 CFE> ATSE DSL-2492GNAU-B1BC
 F715F846C080   <<<< last 3 bytes of MAC address
 ^^^^^^
   seconds since 1970-01-01 00:00:00 (2016-03-26 23:06:32)

*NOTE: the default seed after power-up is 000000 so no time value needs to be specifed if 'ATSE <model-id-string>' has not been executed on the device.

Access to the device's console via a serial UART port, or a network telnet/ssh session, is required to enter the password.

So, for a device with base MAC address (reported by the CFE during boot) E.g:

 CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
  ...
 Base MAC Address                  : ec:43:f6:46:c0:80
  ...
 *** Press any key to stop auto run (1 seconds) ***
 CFE>

Using this tool do:

 ./cfe_gen_pass -s ec:43:f6:46:c0:80 -p

 MAC address: ec:43:f6:46:c0:80 Timestamp: 000000 Seed: 00000046c080 Password: 10f0a563

And on the device do:

 CFE> ATEN 1 10f0a563
 OK
 *** command status = 0

The tool can accept a timestamp as 8 hexadecimal characters (useful for testing the algorithm):

 ./cfe_gen_pass -t 56FA8C2B -s ec:43:f6:46:c0:80 -p

 MAC address: ec:43:f6:46:c0:80 Timestamp: 56FA8C2B (2016-03-29 14:07:39) Seed: FA8C2B46c080 Password: 1111bda5

fwheaditor
Code: [Select]
firmware_header_edit/fwheaditor -h

Broadcom Consumer Router Firmware Header Editor
Version: 1.20
Copyright 2015-2016 TJ <hacker@iam.tj>
Licensed on the terms of the GNU General Public License version 3

Usage:
  -i  replacement Model ID (default '6006')
  -l  bytes to calculate new CRC32 over (default 236)
  -m  current Manufacturer ID to match (default 'MSTC')
  -M  current Model ID to match (default '6006')
  -w  write to file (default only prints new values)
  -s  simulate; don't write to file when -w is given
  -t  output for automated test suite
  -q  quiet; only display result
  -h  show additional help

For routers using the Broadcom CFE ((Customer Premises Equipment) CPE Firmware Environment) and firmware update files.

Avoid the 'Invalid Model Id' error reported by the HTTP firmware upload page in a device with an ISP-specific Model ID (E.g. Eircom F1000 uses 6009 rather tha
n ZyXel VMG8324/VMG8924 generic 6006.

This tool re-generates the header CRC32 checksum (usually at offset 0xEC - 236) of the package header structure and optionally alters the manufacturer Model ID of the firmware image.

To identify the current Model ID of the device's firmware connect to its terminal using telnet or ssh and query the manufacturer data that is stored in the ROM image:

 > sys atsh
 ...
 Other Feature Bits     :
           4d 53 60 09 00 00 00 00-00 00 00 00 00 00 00 00

The first pair of bytes here are ASCII characters 'MS' (code for MitraStar)
The second pair are the Model ID '6009'

A firmware update file (usually has a .bin suffix) starts with a 256 byte header that describes the contents and contains data-verification checksums.
Specific to Mitrastar (MSTC), and therefore also Zyxel, the Model ID is stored in the 'signiture_1' manufacturer-specific info field starting at offset 4.
This 20-byte field is split into two parts, both ASCII zero-terminated strings:

 a) the manufacturer ID and model ID (e.g. 'MSTC_6006')
 b) the model ID (e.g. '6006')

By replacing the model ID with one matching the specific device and updating the header CRC32 checksum the device's HTTP firmware update interface will accept the file.

Example usage:

# display detailed help
fwheaditor -h
# display current and calculated header based on default values
fwheaditor V1.00(AAKL.13)C0.bin
# change Model ID to 6009 and write to file only if current Manufacturer is the default
fwheaditor -i 6009 -w V1.00(AAKL.13)C0.bin
# change Model ID to 6009 and write to file only if current Manufacturer is 'BRCM'
fwheaditor -i 6009 -m BRCM -w V1.00(AAHL.13).bin
« Last Edit: March 29, 2016, 06:20:02 PM by Iam_TJ »
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29830
  • Trinity: Most guys do.
    • http://www.kitz.co.uk

Quote
fwheaditor is very useful for allowing 'Invalid Model ID' firmware updates to be uploaded via the router web interface such as with Eircom F1000 (model ID 6009) accepting generic Zyxel (model ID 6006) firmware images.

Hi TJ

Thank you for sharing your tools and source code with us.   It should prove useful for those wanting to 'convert' the F1000 back to a 'normal' VMG8324.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Iam_TJ

  • Member
  • **
  • Posts: 23
Re: New: CFE Firmware Header Dump
« Reply #2 on: April 08, 2016, 02:55:01 AM »

I've pushed out another tool which simply reports the header of a firmware update file.

3. Firmware Header Dump (fwheader) - report the fields in the firmware image file

Useful for checking the basic information about an update file.

Source-code at:

https://iam.tj/gitweb/?p=firmware_header_edit.git;a=summary

Example Usage

Code: [Select]
$ ./fwheader /tmp/zyxel/V100AAKL14C0.bin
Broadcom Consumer Router Firmware Header Dump
Version: 1.02
Copyright 2015-2016 TJ <hacker@iam.tj>
Licensed on the terms of the GNU General Public License version 3

Header Offset: 0x00000000
Image Offset:  0x00020000
0000 Tag Version: 6
0004 Signature 1: MSTC_6006
0018 Signature 2: ver. 2.0
0026 Chip ID: 63268
002c Board ID: 963168VX
003c Big Endian: Yes
003e Image Len: 25952256 (0x018c0000)
0048 CFE Address: 0 (0x00000000)
0054 CFE Len: 0 (0x00000000)
005e Root FS Address: 3217293312 (0xbfc40000)
006a Root FS Len: 25952256 (0x018c0000)
0074 Kernel Address: 0 (0x00000000)
0080 Kernel Len: 0 (0x00000000)
008a Image Sequence:  (0x00000000)
008e External Version: 1.00(AAKL.14)C0
00ae Internal Version: 1.00(AAKL.14)C0
00ce Image Next: 1
00d8 Image Validation Token: 0x1c633f00
00ec Tag Validation Token:   0xbdde4316
     Calculated Image CRC32: 0x1c633f00
     Calculated Tag   CRC32: 0xbdde4316

Header Offset: 0x018e0000
Image Offset:  0x018e0020
0000 Image Next: 0
0001 Image Type: IMGDEF (0)
0003 Image Signature: 0
0005 Image Len: 23305 (0x00005b09)
0018 Image Validation Token: 0xd78f9ceb
001c Tag Validation Token:   0x8681f430
     Calculated Image CRC32: 0xd78f9ceb
     Calculated Tag CRC32:   0x8681f430

Get The Source
Code: [Select]
git clone git://iam.tj/firmware_header_dump.gitBuild the executable
Code: [Select]
cd firmware_header_dump
make
« Last Edit: April 08, 2016, 12:19:36 PM by Iam_TJ »
Logged

Iam_TJ

  • Member
  • **
  • Posts: 23
CFE Firmware Extractor
« Reply #3 on: April 09, 2016, 10:57:18 AM »

Close on the heels of the header dump comes another tool which extracts the payloads of a firmware update file. If the payloads are LZW compressed it decompresses them. It is an extension of the header dump tool and reports the same header information.

4. Firmware Extractor (fwex) - extracts payloads from firmware image file

Helpful if you want to mount the embedded root file-system locally or extract the router configuration file which is usually the 2nd payload image.

Source-code at:

https://iam.tj/gitweb/?p=firmware_extractor.git;a=summary

Example Usage

Code: [Select]
$ ./fwex -d /tmp/zyxel/V100AAKL14C0.bin
Broadcom Consumer Router Firmware payload extractor
Version: 1.00
Copyright 2015-2016 TJ <hacker@iam.tj>
Licensed on the terms of the GNU General Public License version 2 or later
Includes FFMPEG LZW library code with Broadcom CMS modifications

Found ROMD payload 0
  written to /tmp/zyxel/V100AAKL14C0.bin.00.bin
Image Offset:  0x00020000 (131072)
0000 Tag Version: 6
0004 Signature 1: MSTC_6006 (Model: 6006)
0018 Signature 2: ver. 2.0
0026 Chip ID: 63268
002c Board ID: 963168VX
003c Big Endian: Yes
003e Image Len: 25952256 (0x018c0000)
008e External Version: 1.00(AAKL.14)C0
00ae Internal Version: 1.00(AAKL.14)C0
00ce Image Next: 1
00d8 Image Validation Token: 0x1c633f00
00ec Tag Validation Token:   0xbdde4316
     Calculated Image CRC32: 0x1c633f00
     Calculated Tag   CRC32: 0xbdde4316

Found LZW compressed payload 1
  compressed: 23265 decompressed: 80030 bytes
  written to /tmp/zyxel/V100AAKL14C0.bin.01.bin
Image Offset:  0x018e0020 (26083360)
0000 Image Next: 0
0001 Image Type: IMGDEF (0)
0003 Image Signature: 0
0005 Image Len: 23305 (0x00005b09)
0018 Image Validation Token: 0xd78f9ceb
001c Tag Validation Token:   0x8681f430
     Calculated Image CRC32: 0xd78f9ceb
     Calculated Tag CRC32:   0x8681f430
Get The Source
Code: [Select]
git clone git://iam.tj/firmware_extractor.gitBuild the executable
Code: [Select]
cd firmware_extractor
make
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18802
  • Over the Rainbow
    • The ELRepo Project

This thread has now been set "sticky".  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

justdude

  • Just arrived
  • *
  • Posts: 4

Is there a way to compress file back? :)
Logged

Iam_TJ

  • Member
  • **
  • Posts: 23

Is there a way to compress file back? :)
Yes. I was originally going to include that functionality in the 'fwex' tool since it is available in the underlying code I used from the Broadcom code-base, but I didn't have sufficient time to both build and test it since it would require quite extensive handling of user choices (as to where to insert the sub-image) and guard against bricking the router.
Logged

justdude

  • Just arrived
  • *
  • Posts: 4

Great. I am asking because my idea is to modify config.bin from say zte 931 vii and upload it, hopefully restoring all settings I wanted (some of them not visible in webui since every provider gets to choose what to use/show and what to hide).
Logged

sinusoidal

  • Just arrived
  • *
  • Posts: 2
Re: CFE Firmware Extractor
« Reply #8 on: January 08, 2017, 05:28:02 PM »

Helpful if you want to mount the embedded root file-system locally or extract the router configuration file which is usually the 2nd payload image.

How would you do this?  I've successfully extracted two binaries (second is the config file), but I don't seem to be able to find the right method to mount, what I assume, is the larger filesystem BIN file..

Thanks for the great tools.

Code: [Select]
Found ROMD payload 0
  written to ./1.00(AAKL.15)C0.bin.00.bin
Image Offset:  0x00020000 (131072)
0000 Tag Version: 6
0004 Signature 1: MSTC_6006 (Model: 6006)
0018 Signature 2: ver. 2.0
0026 Chip ID: 63268
002c Board ID: 963168VX
003c Big Endian: Yes
003e Image Len: 26083328 (0x018e0000)
008e External Version: 1.00(AAKL.15)C0
00ae Internal Version: 1.00(AAKL.15)C0
00ce Image Next: 1
00d8 Image Validation Token: 0x6e79cbae
00ec Tag Validation Token:   0x0e6ebdb1
     Calculated Image CRC32: 0x6e79cbae
     Calculated Tag   CRC32: 0x0e6ebdb1

Found LZW compressed payload 1
  compressed: 23290 decompressed: 80182 bytes
  written to ./1.00(AAKL.15)C0.bin.01.bin
Image Offset:  0x01900020 (26214432)
0000 Image Next: 0
0001 Image Type: IMGDEF (0)
0003 Image Signature: 0
0005 Image Len: 23330 (0x00005b22)
0018 Image Validation Token: 0x6da17f29
001c Tag Validation Token:   0x5787f2e7
     Calculated Image CRC32: 0x6da17f29
     Calculated Tag CRC32:   0x5787f2e7

Logged

sinusoidal

  • Just arrived
  • *
  • Posts: 2
Re: CFE Firmware Extractor
« Reply #9 on: January 08, 2017, 05:58:40 PM »

I posted a bit soon, I was forgetting to do the endian convert.  It worked after that.  So for my own benefit:

Code: [Select]
mkdir /mnt/jffs2
modprobe mtdram total_size=32768 erase_size=256
modprobe mtdblock
modprobe mtdchar
mknod /dev/mtdblock0 b 31 0   (not needed if /dev/mtdblock0 exists already)
jffs2dump --bigendian "1.00(AAKL.15)C0.bin.00.bin" --endianconvert=rw1.jffs2
dd if="rw1.jffs2" of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
« Last Edit: January 08, 2017, 11:19:52 PM by sinusoidal »
Logged