Patched ubiquiti firmware XW

blinkstar88 · October 18, 2022, 10:55pm

Hi,

I've patched firmware upgrade from ubiquiti to disable rsa sign. The firmware is XW v6.3.6. Extract the firmware and make some change to binary file and repacked with openwrt tool (mkwfirmware) and upgrade throught ssh with patched fwupgrade.real. the machine is litebeam m5. Airos come up with no problem.

I try every version of factory image from openwrt to upgrade via web gui without success.

I checked the factory image of openwrt with fwsplit and find out the kernel is over 1mb.

My question is, why the kernel from factory image of openwrt is over 1MB?

Thanks

frollic · October 19, 2022, 4:28am

Because it is a recent kernel release ?
Even if you go back to Backfire 10.03, most kernels will still be > 1Mb.

blinkstar88 · October 19, 2022, 5:54am

Yes, my mistake. The kernel size is right the problem is some minor error in version setting.

factory image from openwrt was set to v6.0. ubnt block to downgrade to lower version below 6.1.

repack factory image from openwrt 19.07 and set version to 6.5, from ssh i can upgrade to openwrt without no problem.

Heres the log:

login as: ubnt
ubnt@192.168.1.20's password:


BusyBox v1.24.2 (2021-08-18 19:26:48 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

XW.v6.3.6# cd /tmp/
XW.v6.3.6# ls
boot.txt            firmware-image.bin  fwupdate.real       running.cfg         stats               system.cfg          ubnt                ubntconf.log        upload
XW.v6.3.6# ./fwupdate.real -m firmware-image.bin
Current ver: 393990
New version: 394496
No need to fix.
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done


login as: root


login as: root


BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.10, r11427-9ce6aa9d8d
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# dmesg
[    0.000000] Linux version 4.14.275 (builder@buildhost) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r11427-9ce6aa9d8d)) #0 Sat Apr 16 13:13:32 2022
[    0.000000] MyLoader: sysp=a5a5a5a5, boardp=b5a6a5a5, parts=a5a5a5a5
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[    0.000000] SoC: Atheros AR9342 rev 3
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] On node 0 totalpages: 16384
[    0.000000] free_area_init_node: node 0, pgdat 804f2dd0, node_mem_map 81000020
[    0.000000]   Normal zone: 128 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 16384 pages, LIFO batch:3
[    0.000000] random: get_random_bytes called from 0x804f4740 with crng_init=0
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  board=UBNT-LBE-M5 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,7552k(firmware),256k(cfg)ro,64k(EEPROM)ro console=ttyS0,115200 rootfstype=squashfs noinitrd
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 59320K/65536K available (3969K kernel code, 191K rwdata, 516K rodata, 304K init, 212K bss, 6216K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 51
[    0.000000] Clocks: CPU:535.000MHz, DDR:400.000MHz, AHB:200.000MHz, Ref:40.000MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7144898866 ns
[    0.000010] sched_clock: 32 bits at 267MHz, resolution 3ns, wraps every 8027976190ns
[    0.008347] Calibrating delay loop... 266.64 BogoMIPS (lpj=1333248)
[    0.094971] pid_max: default: 32768 minimum: 301
[    0.100129] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.107200] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.117354] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.127862] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.135766] NET: Registered protocol family 16
[    0.142216] MIPS: machine is Ubiquiti Litebeam M5
[    0.408289] clocksource: Switched to clocksource MIPS
[    0.415009] NET: Registered protocol family 2
[    0.419902] IP idents hash table entries: 2048 (order: 2, 16384 bytes)
[    0.427702] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.435196] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.441999] TCP: Hash tables configured (established 1024 bind 1024)
[    0.448939] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.455175] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.462154] NET: Registered protocol family 1
[    0.466830] PCI: CLS 0 bytes, default 32
[    0.470388] Crashlog allocated RAM at address 0x3f00000
[    0.477497] workingset: timestamp_bits=30 max_order=14 bucket_order=0
[    0.490427] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.496638] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.518819] io scheduler noop registered
[    0.522999] io scheduler deadline registered (default)
[    0.529026] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.538245] console [ttyS0] disabled
[    0.562207] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 2500000) is a 16550A
[    0.571415] console [ttyS0] enabled
[    0.578854] bootconsole [early0] disabled
[    0.595439] m25p80 spi0.0: found mx25l6405d, expected m25p80
[    0.605925] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[    0.610977] 5 cmdlinepart partitions found on MTD device spi0.0
[    0.616981] Creating 5 MTD partitions on "spi0.0":
[    0.621880] 0x000000000000-0x000000040000 : "u-boot"
[    0.629042] 0x000000040000-0x000000050000 : "u-boot-env"
[    0.636093] 0x000000050000-0x0000007b0000 : "firmware"
[    0.652854] 2 uimage-fw partitions found on MTD device firmware
[    0.658921] 0x000000050000-0x0000001e0000 : "kernel"
[    0.664818] 0x0000001e0000-0x0000007b0000 : "rootfs"
[    0.670784] mtd: device 4 (rootfs) set to be root filesystem
[    0.676566] 1 squashfs-split partitions found on MTD device rootfs
[    0.682924] 0x000000450000-0x0000007b0000 : "rootfs_data"
[    0.691667] 0x0000007b0000-0x0000007f0000 : "cfg"
[    0.698051] 0x0000007f0000-0x000000800000 : "EEPROM"
[    1.448805] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:01 [uid=004dd023, driver=Atheros 8032 ethernet]
[    1.459674] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: mii
[    1.467902] NET: Registered protocol family 10
[    1.477750] Segment Routing with IPv6
[    1.481669] NET: Registered protocol family 17
[    1.486244] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.500057] 8021q: 802.1Q VLAN Support v1.8
[    1.506260] hctosys: unable to open rtc device (rtc0)
[    1.517138] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    1.526369] Freeing unused kernel memory: 304K
[    1.530922] This architecture does not have kernel memory protection.
[    2.311517] init: Console is alive
[    2.315263] init: - watchdog -
[    2.533374] random: fast init done
[    3.490899] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    3.564638] usbcore: registered new interface driver usbfs
[    3.570388] usbcore: registered new interface driver hub
[    3.575877] usbcore: registered new device driver usb
[    3.587190] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    3.595831] ehci-platform: EHCI generic platform driver
[    3.601965] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    3.619902] init: - preinit -
[    4.296515] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    4.328575] random: procd: uninitialized urandom read (4 bytes read)
[    6.479943] eth0: link up (100Mbps/Full duplex)
[    6.484592] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    7.660185] jffs2: notice: (405) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (0 unchecked, 1 orphan) and 1 of xref (1 dead, 0 orphan) found.
[    7.677330] mount_root: switching to jffs2 overlay
[    7.712423] overlayfs: upper fs does not support tmpfile.
[    7.724551] urandom-seed: Seeding with /etc/urandom.seed
[    7.925794] eth0: link down
[    7.943215] procd: - early -
[    7.946273] procd: - watchdog -
[    8.609238] procd: - watchdog -
[    8.612831] procd: - ubus -
[    8.732099] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.795532] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.802630] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.810385] procd: - init -
[    9.628883] kmodloader: loading kernel modules from /etc/modules.d/*
[    9.765297] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    9.787985] Loading modules backported from Linux version v4.19.237-0-ga6e4a1818efa
[    9.795835] Backport generated by backports.git v4.19.237-1-0-gffb89fd9
[    9.831044] ip_tables: (C) 2000-2006 Netfilter Core Team
[    9.856613] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[    9.993845] xt_time: kernel timezone is -0000
[   10.063157] urngd: v1.0.2 started.
[   10.134428] PPP generic driver version 2.4.2
[   10.149370] NET: Registered protocol family 24
[   10.235523] ath: EEPROM regdomain: 0x0
[   10.235533] ath: EEPROM indicates default country code should be used
[   10.235538] ath: doing EEPROM country->regdmn map search
[   10.235556] ath: country maps to regdmn code: 0x3a
[   10.235562] ath: Country alpha2 being used: US
[   10.235567] ath: Regpair used: 0x3a
[   10.250598] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   10.252960] ieee80211 phy0: Atheros AR9340 Rev:3 mem=0xb8100000, irq=47
[   10.398783] kmodloader: done loading kernel modules from /etc/modules.d/*
[   10.580325] random: crng init done
[   10.583794] random: 6 urandom warning(s) missed due to ratelimiting
[   24.912622] br-lan: port 1(eth0) entered blocking state
[   24.917943] br-lan: port 1(eth0) entered disabled state
[   24.923661] device eth0 entered promiscuous mode
[   24.975077] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   28.591715] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   28.622695] br-lan: port 2(wlan0) entered blocking state
[   28.628105] br-lan: port 2(wlan0) entered disabled state
[   28.633948] device wlan0 entered promiscuous mode
[   28.688961] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   28.695647] br-lan: port 2(wlan0) entered blocking state
[   28.701117] br-lan: port 2(wlan0) entered forwarding state
[   28.738513] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   29.219763] eth0: link up (100Mbps/Full duplex)
[   29.224437] br-lan: port 1(eth0) entered blocking state
[   29.229798] br-lan: port 1(eth0) entered forwarding state
root@OpenWrt:~#

Thanks