Linux CPIO compression on MIPS

Hi, I bought MIPS device (MT7628NN, 64MB RAM, 4MB Flash - it is lame, but it was cheap and looked like nice device to play with) which is not supported by OpenWRT (in fact it is hard to find any information about it) and I wanted to prepare OpenWRT port for it.

TLDR - I have problem with creation of properly decoded CPIO archive and I'm getting Kernel panic - not syncing: junk in compressed archive error.

Before I will create openWRT port, I want to get access into current software created by manufacturer in order to play a little bit, know register map GPIOs etc.

I've got Flash dump and I analyzed it with binwalk and I successfully extracted CPIO filesystem. It contain a lot of usefull information, like i.e /etc/passwd file - it contains password hash which I was not able to crack with John The Ripper on GTX1060 for over 2 days...

echo "root:0YNPkIk/C8JrA:0:0:Adminstrator:/:/bin/sh" > /etc/passwd

and

echo "root:x:0:root" > /etc/group

Because of problem with cracking this password I want to modify CPIO filesystem and write it to router. I have scripts which will extract firmware to folder and then pack it again (with generation of uImage headers etc), however I have problem with repacking CPIO again and I'm getting error Kernel panic - not syncing: junk in compressed archive on UART.

There are a lot of nested levels of this firmware, but long story short:

  • direct binary from SPI flash: uboot + uImage + LZMA
  • extracted LZMA contains: Linux kernel 2.6.36, CRC32 polynomial tables, SHA256 tables, XZ compressed data
  • extracted XZ contains CPIO archive of filesystem

I'm pretty confident, that scripts are working fine - if I'm using not modified (source) CPIO file, I'm able to generate new image and device is booting properly. The only problem is when I'm extracting CPIO and I want to pack it back (or maybe the problem is already during unpacking of source CPIO). In order to i.e. modify root password or add netcat to create reverse shell, I need to modify those files. I used multiple ways to create CPIO archive:

  • pax -w -x sv4cpio -s '>.>>' . > ../filesystem.cpio
  • find . | awk 'length($0) > 2' | cpio --reproducible --quiet -R 0:0 -o -H newc > ../filesystem.cpio
  • find . | cpio -oLv -H newc > ../filesystem.cpio
  • find . | cpio -o --format=newc --device-independent --ignore-devno > ../filesystem.cpio

and still I have this 'junk in compressed archive' error (even when I didn't modify extracted filesystem itself.

Currently I'm out of ideas, as I read almost all sites on internet while searching for different CPIO archiving methods.

Do you have any ideas what else can be wrong? Maybe you want to take a look? I have uploaded firmware here: https://easyupload.io/up2xrq

Here is my unpacking script (binary have to be in the same directory and be called firmware.bin): https://pastebin.com/z6z3Rfma

Here is packing script: https://pastebin.com/PMBem9QA

try to check and maybe "fix" the magic bytes according to the compression that you want to use on the platform

https://dev.archive.openwrt.org/ticket/6627

This is not a case - problem is not on lzma level (when I'm using original CPIO file, then I'm able to generate firmware which is booting properly). I expect that problem is introduced during extraction of CPIO or when I'm trying to pack filesystem back to CPIO.

I have the same problem, can anyone help?

Use a mod kit: