Forums

Decompile/disassmble embedded software (bootloaders)

Started by Gianguido March 10, 2015
Hi all,
In cheap home routers it happens that bootloaders perform some checks to 
allow only vendor-approved firmware releases.
Bootloaders are tiny -usually 64 bytes- and often contain meaningful 
strings about check errors, so it shouldn't be hard to decompile and 
change the conditional jumps and avoid checks.

I have some very basic knowledge about decompiling/disassembling for x86 
and would like to try and disassemble these bootloaders.
Architectures is usually MIPS/MIPSEL.

would you have any suggestions about where to start? ie. if you know 
some tools and or examples out there?

thanks
G.
On 10/03/15 18:25, Gianguido wrote:
> Hi all, > In cheap home routers it happens that bootloaders perform some checks to > allow only vendor-approved firmware releases. > Bootloaders are tiny -usually 64 bytes- and often contain meaningful > strings about check errors, so it shouldn't be hard to decompile and > change the conditional jumps and avoid checks. > > I have some very basic knowledge about decompiling/disassembling for x86 > and would like to try and disassemble these bootloaders. > Architectures is usually MIPS/MIPSEL. > > would you have any suggestions about where to start? ie. if you know > some tools and or examples out there? > > thanks > G.
Most cheap home routers can be used with alternative firmware by simply "updating" them with properly built images. The biggest project covering this sort of thing is www.openwrt.org - they also have information about bootloader configurations for a large number of routers.
Gianguido <wpoirtu@afri.com> wrote:
>Hi all, >In cheap home routers it happens that bootloaders perform some checks to >allow only vendor-approved firmware releases. >Bootloaders are tiny -usually 64 bytes- and often contain meaningful
ITYM 64 KiB.
>strings about check errors, so it shouldn't be hard to decompile and >change the conditional jumps and avoid checks.
If the bootloader is part of the controller's flash, it might be protected and cannot be read out. -- Dipl.-Inform(FH) Peter Heitzer, peter.heitzer@rz.uni-regensburg.de HTML mails will be forwarded to /dev/null.