Skip to content

micsthepick/NETGEAR_sre

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.vscode
.vscode
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
Makefile_fw_hacks
Makefile_fw_hacks
 
 
NEXT_STEPS.md
NEXT_STEPS.md
 
 
README.md
README.md
 
 
cc.sh
cc.sh
 
 
common.sh
common.sh
 
 
compile_fw_hacks.sh
compile_fw_hacks.sh
 
 
current_test_ls_command.sh
current_test_ls_command.sh
 
 
extract_image.sh
extract_image.sh
 
 
find_binary.sh
find_binary.sh
 
 
find_safely.sh
find_safely.sh
 
 
first_startup.sh
first_startup.sh
 
 
fw_hacks.c
fw_hacks.c
 
 
ghidra_func_rename.py
ghidra_func_rename.py
 
 
install_dynamic_busybox.sh
install_dynamic_busybox.sh
 
 
jump_to_start.gdb
jump_to_start.gdb
 
 
mounts_for_fw_pack.sh
mounts_for_fw_pack.sh
 
 
msm.py
msm.py
 
 
partitions.py
partitions.py
 
 
pre_debug.gdb
pre_debug.gdb
 
 
problem.txt
problem.txt
 
 
problem_datalib.txt
problem_datalib.txt
 
 
qemu-arm.conf
qemu-arm.conf
 
 
rebuild.sh
rebuild.sh
 
 
run_args.sh
run_args.sh
 
 
run_dbtool.sh
run_dbtool.sh
 
 
run_fwhacks_con.sh
run_fwhacks_con.sh
 
 
run_gdb.sh
run_gdb.sh
 
 
run_gef.sh
run_gef.sh
 
 
run_lighttpd_bb.sh
run_lighttpd_bb.sh
 
 
run_target_remote_gef.sh
run_target_remote_gef.sh
 
 

Repository files navigation

netgear router reversing/emulation project

first steps

loosely following https://boschko.ca/qemu-emulating-firmware/ install qemu (it's okay if the first command fails, as long as qemu-system, qemu-user-binfmt and qemu-user-static install)

sudo apt-get install qemu
sudo apt-get install qemu-user-static
sudo apt-get install qemu-user-binfmt
sudo apt-get install qemu-system

use binwalk to extract the squashfs (this article assumes you put the squashfs file in ~/NETGEAR_sre), and sudo unsquash to extract that. Now run:

for me the packaged fw is RBR350-V4.4.2.1.img, yours will most likely be different depending on what you download (try to unzip or untar first where applicable untill you have a .bin or .img)

# approximate steps
binwalk -y=ubi <fw>.img
# copy the integer <DECIMAL> offset from above and the other integer "image size: <BYTES> bytes"
dd if=<fw>.img of=ubifs.ubi bs=1 skip=<DECIMAL> count=<BYTES>
# e.g.
#DECIMAL                            HEXADECIMAL                        DESCRIPTION
#-------------------------------------------------------------------------------------------------------------------------------------
#264904                             0x40AC8                            UBI image, version: 1, image size: 43778048 bytes
##dd if=RBR350-V4.4.2.1.img of=ubifs.ubi bs=1 skip=26904 count=43778048
# if the output just gives a starting offset, use that and ignore the count=param, it will just raise a warning when extracting the ubi.
ubireader_extract_images ubifs.ubi

Put the arm binary in place

sudo cp $(which qemu-arm-static) squashfs-root/$(which qemu-arm-static)

use binwalk and python's ubireader to extract the squashfs image, then use squashfs-tools-ng to create a tarball called squashfs.tar.gz (sqfs2tar img-*ubi_rootfs.ubifs > ~/NETGEAR_sre/squashfs.tar.gz)

if at this point you still don't have the capability to chroot, then ensure /etc/binfmt.d/ or /usr/lib/binfmt.d/ contains qemu-arm.conf:

:qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:./scratch/usr/local/bin/qemu-arm:

then try

sudo systemctl reload systemd-binfmt

now, try running the dev console shell script first (needed to emulate a serial tty)

About

running netgear firmware locally

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages