Modifying "read-only" RT-AC66 K3 firmware

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
hanskloss
DD-WRT User


Joined: 30 May 2010
Posts: 98

PostPosted: Wed Nov 06, 2013 11:11    Post subject: Modifying "read-only" RT-AC66 K3 firmware Reply with quote
I like Kong's builds for my RT-AC66R, however not being able to modify some configuration files is exhausting in the long run. I run Asterisk 1.8/11 on my router and prefer to use the latest version. Lack of opkg.cfg for example makes me going over extra steps to have running the way I like, symbolic links that I prefer instead of directories, etc.

firmware-mod-kit that I used is advertised to work on dd-wrt images but it errors out on the Kong's images I've tried. Not having developer experience I decided to use some of its tools to reach my goal and learn in the process.
https://code.google.com/p/firmware-mod-kit/

This is not a guide, just writing this down to make easier for me to recreate steps in the future.
Please do not use these notes if you don't have means to unbrick your router!

My daily system is i686 Arch Linux with MATE desktop environment.

I already have binwalk installed and latest code for mod-kit can be checked out here:
git clone https://code.google.com/p/firmware-mod-kit/


Running extract-firmware.sh dd-wrt.v24-K3_AC_HIGHMEM.bin or make in the firmware-mod-kit/src directory should compile the tools used below (unsquashfs-lzma, mksquashfs-lzma, crcalc)
I renamed the above firmware file to make it easier working on it.

Steps taken:

1. Examine the firmware using binwalk

# binwalk kong23040.bin

Code:
DECIMAL      HEX          DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0            0x0          TRX firmware header, little endian, header size: 28 bytes, image size: 20996096 bytes, CRC32: 0x8420D4DD flags: 0x0, version: 1
28           0x1C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4125056 bytes
1589248      0x184000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 19406283 bytes,  2119 inodes, blocksize: 131072 bytes, created: Fri Dec  6 11:20:39 2013



2. Let's Extract first parts of the firmware that stay unmodified

# dd if=kong23040.bin of=trxlzma count=1589248 bs=1
1589248+0 records in
1589248+0 records out
1589248 bytes (1.6 MB) copied, 2.56207 s, 620 kB/s

# binwalk trxlzma

Code:
DECIMAL      HEX          DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0            0x0          TRX firmware header, little endian, header size: 28 bytes, image size: 20996096 bytes, CRC32: 0x8420D4DD flags: 0x0, version: 1
28           0x1C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4125056 bytes



3. Now let's extract squashfs from the firmware

# dd if=kong23040.bin of=squashfs skip=1589248 bs=1
19406848+0 records in
19406848+0 records out
19406848 bytes (19 MB) copied, 30.4902 s, 636 kB/s

# binwalk squashfs

Code:
DECIMAL      HEX          DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0            0x0          Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 19406283 bytes,  2119 inodes, blocksize: 131072 bytes, created: Fri Dec  6 11:20:39 2013



4. Now it's time to decompress it into squashfs-kong subfolder

# ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma -dest squashfs-kong squashfs

created 1572 files
created 238 directories
created 309 symlinks
created 0 devices
created 0 fifos


5. Make changes as needed. If adding files keep ownership as root:root

6. Compress back using default values

# ./src/squashfs-3.0-lzma-damn-small-variant/mksquashfs-lzma squashfs-kong newsquash
Creating little endian 3.0 filesystem on newsquash, block size 131072.

Little endian filesystem, data block size 131072, compressed data, compressed metadata, compressed fragments
Filesystem size 18320.05 Kbytes (17.89 Mbytes)
31.08% of uncompressed filesystem size (58948.81 Kbytes)
Inode table size 17136 bytes (16.73 Kbytes)
25.49% of uncompressed inode table size (67215 bytes)
Directory table size 18435 bytes (18.00 Kbytes)
51.75% of uncompressed directory table size (35625 bytes)
Number of duplicate files found 26
Number of inodes 2098
Number of files 1550
Number of fragments 170
Number of symbolic links 311
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 237
Number of uids 1
root (0)
Number of gids 0

7. Join the parts together
# cat trxlzma newsquash >> mod23040.bin

8. Now list the files sizes.
# ls -l

-rw-r--r-- 1 root root 20996096 Dec 7 09:28 kong23040.bin
-rw-rw-rw- 1 root root 20353024 Dec 7 10:00 mod23040.bin
-rwx------ 1 root root 18763776 Dec 7 09:59 newsquash
-rw-r--r-- 1 root root 19406848 Dec 7 09:47 squashfs
-rw-r--r-- 1 root root 1589248 Dec 7 09:45 trxlzma


# binwalk mod23040.bin

Code:
DECIMAL      HEX          DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0            0x0          TRX firmware header, little endian, header size: 28 bytes, image size: 20996096 bytes, CRC32: 0x8420D4DD flags: 0x0, version: 1
28           0x1C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4125056 bytes
1589248      0x184000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 18759734 bytes,  2098 inodes, blocksize: 131072 bytes, created: Sat Dec  7 09:59:28 2013


Modified firmware has incorrect image size and checksum!


9. Convert size of new modified bin file into hex

20353024 --> 01 36 90 00
flipped --> 00 90 36 01

I used hex editor to change bytes at 04-07 offset

Before:
# hexdump -C -n 16 mod23040.bin

Code:
00000000  48 44 52 30 00 60 40 01  dd d4 20 84 00 00 01 00  |HDR0.`@... .....|




After:
Code:
00000000  48 44 52 30 00 90 36 01  dd d4 20 84 00 00 01 00  |HDR0..6... .....|



# binwalk mod23040.bin shows correct image size.

Code:
DECIMAL      HEX          DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0            0x0          TRX firmware header, little endian, header size: 28 bytes, image size: 20353024 bytes, CRC32: 0x8420D4DD flags: 0x0, version: 1
28           0x1C         LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4125056 bytes
1589248      0x184000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 18759734 bytes,  2098 inodes, blocksize: 131072 bytes, created: Sat Dec  7 09:59:28 2013



10. Update checksum

# ./src/crcalc/crcalc mod23040.bin

Processing 1 header(s) from mod23040.bin...
Processing header at offset 0...checksum(s) updated OK.
CRC(s) updated successfully.


and verify
# binwalk mod23040.bin

[code]DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 20353024 bytes, CRC32: 0x770B61F7 flags: 0x0, version: 1
28 0x1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4125056 bytes
1589248 0x184000 Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 18759734 bytes, 2098 inodes, blocksize: 131072 bytes, created: Sat Dec 7 09:59:28 2013/code]

O.K. Ready to flash

_________________
Asus RT-AC66R Target:brcm47xx SubTarget:mips74k Packages:mipsel_74kc
Netgear R7000 Target:bcm53xx Packages:arm_cortex-a9
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum