EmbeddedRelated.com
Forums
The 2024 Embedded Online Conference
   Forums    More Forums    comp.arch.embedded  

Decompile/disassmble embedded software (bootloaders)

Started by Gianguido March 10, 2015
Hi all,
In cheap home routers it happens that bootloaders perform some checks to 
allow only vendor-approved firmware releases.
Bootloaders are tiny -usually 64 bytes- and often contain meaningful 
strings about check errors, so it shouldn't be hard to decompile and 
change the conditional jumps and avoid checks.

I have some very basic knowledge about decompiling/disassembling for x86 
and would like to try and disassemble these bootloaders.
Architectures is usually MIPS/MIPSEL.

would you have any suggestions about where to start? ie. if you know 
some tools and or examples out there?

thanks
G.
Reply by David Brown March 10, 20152015-03-10
On 10/03/15 18:25, Gianguido wrote:

> Hi all,
> In cheap home routers it happens that bootloaders perform some checks to
> allow only vendor-approved firmware releases.
> Bootloaders are tiny -usually 64 bytes- and often contain meaningful
> strings about check errors, so it shouldn't be hard to decompile and
> change the conditional jumps and avoid checks.
>
> I have some very basic knowledge about decompiling/disassembling for x86
> and would like to try and disassemble these bootloaders.
> Architectures is usually MIPS/MIPSEL.
>
> would you have any suggestions about where to start? ie. if you know
> some tools and or examples out there?
>
> thanks
> G.


Most cheap home routers can be used with alternative firmware by simply 
"updating" them with properly built images.  The biggest project 
covering this sort of thing is www.openwrt.org - they also have 
information about bootloader configurations for a large number of routers.
Reply by Peter Heitzer March 11, 20152015-03-11
Gianguido <wpoirtu@afri.com> wrote:

>Hi all,
>In cheap home routers it happens that bootloaders perform some checks to 
>allow only vendor-approved firmware releases.
>Bootloaders are tiny -usually 64 bytes- and often contain meaningful 

ITYM 64 KiB.

>strings about check errors, so it shouldn't be hard to decompile and 
>change the conditional jumps and avoid checks.

If the bootloader is part of the controller's flash, it might be protected
and cannot be read out.

-- 
Dipl.-Inform(FH) Peter Heitzer, peter.heitzer@rz.uni-regensburg.de
HTML mails will be forwarded to /dev/null.
You might also like... (promoted content)
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference