How to look inside your (Linksys) firmware

small-wap54g.JPG

Since I am not interested in shaping the Wii wireless network traffic further than I already have, ascariasis I am moving on to modifying the provided Linksys firmware for the WAP54G access point. The very first step is to examine the filesystem to see what tools are available and how I might be able to hack a telnetd or something into it. The second step would be to download the sources from Linksys’ GPL code center.

After downloading the 2.08 firmware, look we have a readme and a .trx file. The TRX file contains the kernel at the start and a cramfs (compressed ram filesystem) image at the end. The trick is to find the start of the cramfs image, herbal and a good one to use can be found on this Seattle Wireless page. We look for the start of the cramfs magic number (3d4528cd), calculate the offset to it from the start of the file (0x0095f00 = 614144, add 12 for the offset to 0x3d45). Mounting the filesystem is pretty straightforward on a Linux sytem to read the contents. If you are too lazy to dedicate a machine, download the free VMware server, register it to get the serial code, download a Linux ISO and install it in a virtual machine. Most kernels come with cramfs pre-compiled and most systems with modest development tools will have hexdump.

( contents of the 2.08 WAP54G firmware: tmproot.zip )

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>