I remembered that i looked at what Leland Flynn did on it's router's image. This page is well done and i manage to read the image.
http://this8bitlife.com/adventures-in-l … -firmware/
Here some result :
hexdump -C FW_GS3_R1N89.rmt > dumps/FW.hex
00000000 00 7d 60 00 6c 5e 4c 7a bc 00 1f 62 c0 24 7d f0 |.}`.l^Lz¼..bÀ$}ð|
00000010 d2 19 ce e7 37 71 d5 a8 f3 af 79 27 12 a1 2e d1 |Ò.Îç7qÕ¨ó¯y'.¡.Ñ|
00000020 56 95 f3 6a 00 68 f8 8d b5 f8 3e 17 79 f0 53 c9 |V.ój.hø.µø>.yðSÉ|
00000030 b1 41 ca e4 27 31 fd dd 73 74 61 72 74 20 73 65 |±AÊä'1ýÝstart se|
00000040 63 74 69 6f 6e 0a 72 67 5f 68 77 3a 20 42 43 4d |ction.rg_hw: BCM|
00000050 35 33 35 34 0a 64 69 73 74 3a 20 47 53 33 0a 70 |5354.dist: GS3.p|
00000060 72 6f 64 5f 76 65 72 73 69 6f 6e 3a 20 34 2e 31 |rod_version: 4.1|
00000070 30 2e 33 0a 76 65 72 73 69 6f 6e 3a 20 34 31 30 |0.3.version: 410|
00000080 30 33 0a 65 78 74 5f 76 65 72 3a 20 52 31 4e 38 |03.ext_ver: R1N8|
00000090 39 0a 6d 6f 64 65 6d 5f 76 65 72 73 69 6f 6e 3a |9.modem_version:|
000000a0 20 31 2e 38 2e 34 2e 36 0a 00 48 44 52 30 00 60 | 1.8.4.6..HDR0.`|
000000b0 7d 00 ce 73 23 ce 00 00 01 00 1c 00 00 00 00 00 |}.Îs#Î..........|
000000c0 00 00 00 00 00 00 1f 8b 08 08 e0 2a 75 51 02 03 |..........à*uQ..|
000000d0 6a 6d 70 5f 62 6f 6f 74 2e 62 69 6e 00 e3 61 50 |jmp_boot.bin.ãaP|
000000e0 10 64 00 03 8d 5e 13 21 2e 9b 8a 30 2f 53 76 06 |.d...^.!...0/Sv.|
000000f0 2e 51 90 08 0b 83 66 2f 90 b4 91 71 68 51 51 50 |.Q....f/.´.qhQQP|
00000100 e8 64 e0 60 68 00 ab 3c b2 1f 22 06 e3 23 03 01 |èdà`h.«<².".ã#..|
00000110 76 06 ac 00 00 75 96 4b 2a 68 00 00 00 00 00 00 |v.¬..u.K*h......|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
strings -n 3 FW_GS3_R1N89.rmt > dumps/FW.str
l^Lz
start section
rg_hw: BCM5354
dist: GS3
prod_version: 4.10.3
version: 41003
ext_ver: R1N89
modem_version: 1.8.4.6
HDR0
*uQ
jmp_boot.bin
0/Sv
qhQQP
K*h
binwalk FW_GS3_R1N89.rmt > dumps/FW_binwalk
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
170 0xAA TRX firmware header, little endian, header size: 28 bytes, image size: 8216576 bytes, CRC32: 0xCE2373CE flags/version: 0x10000
198 0xC6 gzip compressed data, was "jmp_boot.bin", from Unix, last modified: Mon Apr 22 14:19:44 2013, max compression
27606 0x6BD6 gzip compressed data, was "vmlinux.bin", from Unix, last modified: Mon Apr 22 14:19:40 2013, max compression
14677548 0xDFF62C gzip compressed data, ASCII, has CRC, extra field, has comment, last modified: Thu Dec 22 18:21:26 2011
With the binwalk information I extracted the uImage / vmlinux.bin section :
dd if=FW_GS3_R1N89.rmt of=uImage bs=1 skip=27606 count=14649942
The image is gzip compressed so i run :
cat uImage | gunzip - > vmlinux.bin
The binwalk give the following output
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
Progress: 0.00% (0 / 12509184)
1666861 0x196F2D LZMA compressed data, properties: 0x88, dictionary size: 524288 bytes, uncompressed size: 270602752 bytes
1677205 0x199795 LZMA compressed data, properties: 0x90, dictionary size: 262144 bytes, uncompressed size: 4608 bytes
1681301 0x19A795 LZMA compressed data, properties: 0x90, dictionary size: 262144 bytes, uncompressed size: 4640 bytes
1898144 0x1CF6A0 Linux kernel version "2.4.21openrg-rmk1 #2 Mon Apr 22 14:19:36 CEST 2013 14:19:36 CEST 2013"
1957631 0x1DDEFF Copyright string: " 1995-1998 Mark Adler "
2113583 0x20402F Copyright string: " 1995-2002 Jean-loup Gailly "
2114351 0x20432F Copyright string: " 1995-2002 Mark Adler "
4190208 0x3FF000 romfs filesystem, version 1 size: 2154800 bytes, named "rom 51752a1e"
6348800 0x60E000 CramFS filesystem, little endian size 65536 version #2 sorted_dirs CRC 0x41c07c37, edition 0, 114 blocks, 947 files
6414336 0x61E000 CramFS filesystem, little endian size 6094848 version #2 sorted_dirs CRC 0x9fa22d7a, edition 0, 757 blocks, 468 files
I'll try to ungzip the last section of the firmware which contains ASCII data. Maybe there is the rg_conf data in this section.
I'll also post the flash layout i have on my device to match with the firmware's.
Kyklas