The Ralink 2150 is a MIPS based SoC, probably intended for use in a home Wifi router. It includes a 5 port ethernet switch along with the MIPS processor running at 384 Mhz. With 16 M of RAM, this would have been an impressive system once upon a time.
By interrupting U-Boot, it is possible to get an interactive U-Boot console and then use the "md" command to dump the flash. I write a simple python program to issue the "md" command and capture the output (there is 4M of flash).
After inspecting the boot message, I tentatively conclude there are 5 partitions:
0x00000 - 0x20000 128K boot loader 0x20000 - 0x30000 64k config 0x30000 - 0x40000 64k config2 0x040000 - 0x220000 1152k kernel 0x220000 - 0x400000 1152 kernel2It looks to me like config and config2 are redundant copies of each other, as are kernel and kernel2, but I will confirm this later. And they are not. Maybe they could or should be. This is definitely not the case with config since this part of flash is erased on each boot.
The first word in kernel and kernel2 is 0x27051956. This is the magic number for a U-Boot image, which is a known thing. The next step is to convert my ascii dumps into a binary image and then use some tools to further examine it. There are some hints in the following:
I write another simple python program to parse my ascii captures and generate a 4M file which is an image of the flash contents. I call it "femto.img". I extract the 34*64k bytes that are the "kernel" section above using "dd", but now I get into trouble with endian issues.
./mkimage: ERROR: "kernel.img" has corrupted data! GP Header: Size 27051956 LoadAddr c4486530I am using an mkimage from one of my ARM project builds, which are little endian. The MIPS can be either endian, but big-endian is the default and seems to be the usual thing. I could (and maybe should) get the U-Boot sources and build for a MIPS target.
binwalk kernel.img DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 uImage header, header size: 64 bytes, header CRC: 0xC4486530, created: 2011-10-06 01:41:24, image size: 1691872 bytes, Data Address: 0x80000000, Entry Point: 0x802A1000, data CRC: 0x4305B877, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image" 64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3687954 bytesI can tell binwalk to do an extraction using the "-e" option and this gives me the following:
-rw-rw-r-- 1 tom tom 3687954 Jul 22 14:21 40 -rw-rw-r-- 1 tom tom 1966016 Jul 22 14:21 40.7zHere the "40.lz" file is simply my kernel.img with the 64 bytes at the front trimmed off. The file "40" has been decompressed somehow and indeed, the first part of it seems to be the kernel image, ready to be loaded into memory and run. I do not see any evidence of a filesystem however and that is the mystery at present.
A filesystem must follow the kernel (where else could it be?)
We see the following messages when booting:
## Booting image at bf040000 ... Verifying Checksum ... OK Uncompressing Kernel Image ... OK No initrd ## Transferring control to Linux (at address 802a1000) ... ## Giving linux memsize in MB, 16No hint of the size of the kernel before or after booting. These strange lines appear in the U-Boot environ variables. Note that "filesize" is never defined, and the "BC" addresses are never defined. Even the "8A" addresses are mysterious.
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize) u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
0x80000000 - 0x80ffffffSo, if we start the kernel at 802a1000 and the "data address" in the header is the load address, perhaps that tells us something, being well over 2M into the kernel image.
2904064 0x2C5000 LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, uncompressed size: 2874880 bytesSo the compressed image contains another compressed image after the kernel, which is sort of what we suspected. The uncompressed image (with the kernel in the front) is 3687954 bytes in size (0x384612)
I do this:
dd bs=4096 skip=709 if=40 of=fs.7z 7z e fs.7z file fs fs: ASCII cpio archive (SVR4 with no CRC)How about that? Now I extract this via:
mkdir files cd files cpio -i --no-absolute-filenames <../fs.cpioAnd now I have the root filesystem inside the "files" directory.
root:xSCV0.l5YF7k2:0:0:root:/root:/bin/sh sshd:xSCV0.l5YF7k2:0:0:root:/root:/bin/shThe following link shows the entire contents of the cpio archive:
Tom's electronics pages / [email protected]