Wednesday, November 17, 2010

Huawei EchoLife CPE BM626 Firmware Data Structure - Unpack and Repack

DO THIS WITH CAUTIOUS, DON'T CONTINUE IF YOU DON'T KNOW WHAT YOU ARE DOING !!!
I'M NOT RESPONSIBLE IF YOU HARM YOUR CPE DEVICE !!!

To make a custom firmware, you need to know the data structure of the firmware bin file.
The sample of the firmware hex is:
EB49 000E 5A5A A5A5 0086AFE4 000 102 0104 000200
EB49 is the crc16 (xmodem) from the whole file starting from 000E > end
000E is a common number identifier (don't change)
5A5A A5A5 is a common number identifier for the beginning of a new file (don't change)
0086AFE4 is the file size in hex
000 102 0104 000200 is the code of your CPE device (is the common for the same device type)

Using hex editor program like Hex Workshop, try to find the hex sequence 5A5A A5A5 which will indicate the beginning of each file inside the firmware, and of course the end of the previous file.

The structure of each file identified by the following hex:
5A5A A5A5 1000 000000 1CA374 2E97 0000
1000 is a common identifier for the file type, which means keep it the same for the same file
000000  is a common number identifier (don't change)
1CA374 is the identifier of the file size starting from the first 4 zeros 0000 > the end of the single file
2E97  is the crc16 (xmodem) from the signle file from the first 4 zeros 0000 > the end of the single file
0000 is a common number identifier (don't change)

This is a sample for the first identifier hex of a firmware file:

EB49 000E
5A5A A5A5 0086AFE4 0001 0201 0400 0200   V100R001LBYC10B031
5A5A A5A5 1000 000000 1DACB2 0329 0000   apps.7z  .............
5A5A A5A5 1208 000000 081F4C 7444 0000     microcode.blob  .............
5A5A A5A5 1500 000000 067FEE 7247 0000     vxWorks.7z  .............
5A5A A5A5 1201 000000 000111 122E 0000     operatorconfig.txt  .............
5A5A A5A5 1202 000000 000F8C B441 0000    operatorcsspara.cfg  .............
5A5A A5A5 1206 000000 0006A1 A3E5 0000   ss1130_5M_usb.sh  .............
5A5A A5A5 1207 000000 00069F 9FE8 0000    ss1130_10M_usb.sh  .............
5A5A A5A5 1100 000000 000184 5C55 00 00   bootLoader.bin  .............
5A5A A5A5 1400 000000 04DAB0 7F7B 0000  bootrom.bin  .............
5A5A A5A5 0100 000000 0107D2 3E65 0000                          .............
5A5A A5A5 0203 000000 010000 0DD5  0000  ubootpam.conf  .............
5A5A A5A5 0202 000000 00415A 3E72 0000   defaultcfg.xml  .............
5A5A A5A5 0500 000000 0D1B1F 479D 0000                          .............
5A5A A5A5 0000 000000 460094 F675  0000   qshs-rootfs  .............

To know how to generate crc16 xmodem:

  • open a file in Hex Workshop
  • click on Tools > Generate Checksum...
  • select Custom CRC > click on Custom CRC
  • select 16bit CRC
  • Type 1021 in the Polynomial
  • Type 0000 in the Initial Value
  • unselect both In and Out Reflections
  • type 0000 in the XOR Out
  • click on Generate
Posted by at 13 comments:
Labels:

CRC Standards

crc-5:

Width 5
Poly 0x5
Reflect In True
XOR In 0x1f
Reflect Out True
XOR Out 0x1f


crc-8:

Width 8
Poly 0x07
Reflect In False
XOR In 0x00
Reflect Out False
XOR Out 0x00


dallas-1-wire:

Width 8
Poly 0x31
Reflect In True
XOR In 0x00
Reflect Out True
XOR Out 0x00


crc-15:

Width 15
Poly 0x4599
Reflect In False
XOR In 0x000
Reflect Out False
XOR Out 0x000


crc-16:

Width 16
Poly 0x8005
Reflect In True
XOR In 0x0000
Reflect Out True
XOR Out 0x0000


crc-16-usb:

Width 16
Poly 0x8005
Reflect In True
XOR In 0xffff
Reflect Out True
XOR Out 0xffff


crc-16-modbus:

Width 16
Poly 0x8005
Reflect In True
XOR In 0xffff
Reflect Out True
XOR Out 0x0000


ccitt:

Width 16
Poly 0x1021
Reflect In False
XOR In 0xffff
Reflect Out False
XOR Out 0x0000


r-crc-16:

Width 16
Poly 0x0589
Reflect In False
XOR In 0x0000
Reflect Out False
XOR Out 0x0001


kermit:

Width 16
Poly 0x1021
Reflect In True
XOR In 0x0000
Reflect Out True
XOR Out 0x0000


x-25:

Width 16
Poly 0x1021
Reflect In True
XOR In 0xffff
Reflect Out True
XOR Out 0xffff


xmodem:

Width 16
Poly 0x1021
Reflect In False
XOR In 0x0000
Reflect Out False
XOR Out 0x0000


zmodem:

Width 16
Poly 0x1021
Reflect In False
XOR In 0x0000
Reflect Out False
XOR Out 0x0000


crc-24:

Width 24
Poly 0x864cfb
Reflect In False
XOR In 0xb704ce
Reflect Out False
XOR Out 0x000000


crc-32:

Width 32
Poly 0x04c11db7
Reflect In True
XOR In 0xffffffff
Reflect Out True
XOR Out 0xffffffff


crc-32c:

Width 32
Poly 0x1edc6f41
Reflect In True
XOR In 0xffffffff
Reflect Out True
XOR Out 0xffffffff
Short command pycrc.py --model crc-32c


crc-32-mpeg:

Width 32
Poly 0x04c11db7
Reflect In False
XOR In 0xffffffff
Reflect Out False
XOR Out 0x00000000


posix:

Width 32
Poly 0x04c11db7
Reflect In False
XOR In 0x00000000
Reflect Out False
XOR Out 0xffffffff
Short command pycrc.py --model posix


jam:

Width 32
Poly 0x04c11db7
Reflect In True
XOR In 0xffffffff
Reflect Out True
XOR Out 0x00000000


xfer:

Width 32
Poly 0x000000af
Reflect In False
XOR In 0x00000000
Reflect Out False
XOR Out 0x00000000


crc-64:

Width 64
Poly 0x000000000000001b
Reflect In True
XOR In 0x0000000000000000
Reflect Out True
XOR Out 0x0000000000000000


crc-64-jones:

Width 64
Poly 0xad93d23594c935a9
Reflect In True
XOR In 0xffffffffffffffff
Reflect Out True
XOR Out 0x0000000000000000
Posted by at No comments:

Monday, November 1, 2010

Huawei EchoLife BM626 BM625 wimax modem - DNS Hack

BM626 & BM625 are preventing client pcs to use their own dns server, and redirect all dns queries to he router default dns server, which is something bothering us all.

Therefore, follow these steps to configure your own DNS settings:

Using cat command
1. make sure you have telnet (or putty) and the Lan access is selected from Advanced > ACL in the router web configuration page.
2. login to the router 192.168.1.1 using wimax:wimax820 (make sure to choose telnet in putty)
3. type sh
4. type cd etc
5. type cat  resolv.conf, and remember the output
6. type cat  > resolv.conf, in the new line type nameserver 8.8.8.8
7. click ctrl+j for new line, then ctrl+d for exit
8. type cat resolv.conf, to check if the dns has changed.
9. type in the command prompt ipconfig /flushdns to delete the cached dns and activate the new one


Using TFTP Server
1. download TFTP server, you can try SolarWinds'
2. install it then run it
3. click on Configure, then click Browse and choose a valid folder, and remember your choice
4. disable your firewall (or you can open a UDP port no 69)
5. type ctrl+r, then type cmd then OK (make sure you have telnet in your pc or you can use putty)
6. type telent 192.168.1.1 (the IP of your router)
7. for the Login type wimax, and for password type wimax820
8. type sh then enter
9. type cd etc
10. type tftp -s -l resolv.conf 192.168.1.xx (xx change it with your pc IP)
11. browse to the TFTP folder which you chose, and text edit the file resolv.conf
12 change the IP Number after the word nameserver to what ever DNS you like (let's choose google 8.8.8.8 and 8.8.4.4)
13. save and exit
14. go back to the command prompt, and type tftp -g -r resolv.conf 192.168.1.xx (xx change it with your pc IP)
15. type in the command prompt ipconfig /flushdns to delete the cached dns and activate the new one

HavE Fun

Posted by at 5 comments:
Subscribe to: Posts (Atom)