Hi all, In cheap home routers it happens that bootloaders perform some checks to allow only vendor-approved firmware releases. Bootloaders are tiny -usually 64 bytes- and often contain meaningful strings about check errors, so it shouldn't be hard to decompile and change the conditional jumps and avoid checks. I have some very basic knowledge about decompiling/disassembling for x86 and would like to try and disassemble these bootloaders. Architectures is usually MIPS/MIPSEL. would you have any suggestions about where to start? ie. if you know some tools and or examples out there? thanks G.
Decompile/disassmble embedded software (bootloaders)
Started by ●March 10, 2015
Reply by ●March 10, 20152015-03-10
On 10/03/15 18:25, Gianguido wrote:> Hi all, > In cheap home routers it happens that bootloaders perform some checks to > allow only vendor-approved firmware releases. > Bootloaders are tiny -usually 64 bytes- and often contain meaningful > strings about check errors, so it shouldn't be hard to decompile and > change the conditional jumps and avoid checks. > > I have some very basic knowledge about decompiling/disassembling for x86 > and would like to try and disassemble these bootloaders. > Architectures is usually MIPS/MIPSEL. > > would you have any suggestions about where to start? ie. if you know > some tools and or examples out there? > > thanks > G.Most cheap home routers can be used with alternative firmware by simply "updating" them with properly built images. The biggest project covering this sort of thing is www.openwrt.org - they also have information about bootloader configurations for a large number of routers.
Reply by ●March 11, 20152015-03-11
Gianguido <wpoirtu@afri.com> wrote:>Hi all, >In cheap home routers it happens that bootloaders perform some checks to >allow only vendor-approved firmware releases. >Bootloaders are tiny -usually 64 bytes- and often contain meaningfulITYM 64 KiB.>strings about check errors, so it shouldn't be hard to decompile and >change the conditional jumps and avoid checks.If the bootloader is part of the controller's flash, it might be protected and cannot be read out. -- Dipl.-Inform(FH) Peter Heitzer, peter.heitzer@rz.uni-regensburg.de HTML mails will be forwarded to /dev/null.