DGND3700 V1 Transmission Firmware Reverse Decompile 3

From richud.com
Jump to: navigation, search


Setting NVRAM defaults

For whatever bizarre reason they live in libnvram.so

So to disable the httpd wizard running on a NVRAM reset and setting everything to German, it turns out the magic is the variable blank_state which gets set to 1 and needs changing to a 0 within this binary.


This is the output from readelf from libnvram.so

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .reginfo          MIPS_REGINFO    000000d4 0000d4 000018 18   A  0   0  4
  [ 2] .dynamic          DYNAMIC         000000ec 0000ec 0000b8 08   A  5   0  4
  [ 3] .hash             HASH            000001a4 0001a4 000290 04   A  4   0  4
  [ 4] .dynsym           DYNSYM          00000434 000434 0005f0 10   A  5   2  4
  [ 5] .dynstr           STRTAB          00000a24 000a24 000559 00   A  0   0  1
  [ 6] .rel.dyn          REL             00000f80 000f80 005f58 08   A  4   0  4
  [ 7] .text             PROGBITS        00006ee0 006ee0 002e80 00  AX  0   0 16
  [ 8] .MIPS.stubs       PROGBITS        00009d60 009d60 000200 00  AX  0   0  4
  [ 9] .rodata           PROGBITS        00009f60 009f60 006cf8 00   A  0   0 16
  [10] .data             PROGBITS        00021000 011000 005788 00  WA  0   0 16
  [11] .got              PROGBITS        00026790 016790 0000fc 04 WAp  0   0 16
  [12] .bss              NOBITS          00026890 01688c 064020 00  WA  0   0 16
  [13] .comment          PROGBITS        00000000 01688c 000048 00      0   0  1
  [14] .mdebug.abi32     PROGBITS        00000048 0168d4 000000 00      0   0  1
  [15] .pdr              PROGBITS        00000000 0168d4 0006c0 00      0   0  4
  [16] .shstrtab         STRTAB          00000000 016f94 000082 00      0   0  1

From https://www.codeproject.com/articles/70302/redirecting-functions-in-shared-elf-libraries

.text – contains the module code
.data – initialized variables
.bss – non-initialized variables
.symtab – the module symbols: functions and static variables
.strtab – the names for module symbols
.rel.text –the relocation for functions (for statically linked modules)
.rel.data – the relocation for static variables (for statically linked modules)
.rel.plt – the list of elements in the PLT (Procedure Linkage Table), which are liable to the relocation during the dynamic linking (if PLT is used)
.rel.dyn – the relocation for dynamically linked functions (if PLT is not used)
.got – Global Offset Table, contains the information about the offsets of relocated objects
.debug –the debug information

This nicely lets you see the string table (.rodata) (but the address looking hex isnt the address?!)

readelf -z  -p 9 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so

Hex view where can see offset is at 0xd7d0 for blank_state variable in .rodata

readelf -z -x 9 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so | grep -C10 blank

  0x0000d7c0 00000000 77616e5f 68776164 64723200 ....wan_hwaddr2.
  0x0000d7d0 626c616e 6b5f7374 61746500 72756e5f blank_state.run_
  0x0000d7e0 77697a00 77697a5f 7070706f 655f7761 wiz.wiz_pppoe_wa

If a variable value was set to a string, this is set as the next bit of data after a null (\0), however integers are not. (some are though, thus presumably as strings?)

Poking about reveals something interesting in the .data (initialized variables), grepping the offset yields

readelf -z -x 10 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so | grep -C10 d7d0

  0x000243d0 0000a898 0000a4a4 00000000 0000d7c4 ................
  0x000243e0 0000a000 00000000 0000d7d0 0000e198 ................
  0x000243f0 00000000 0000d7dc 0000a4a4 00000000 ................

Looking around at how this is set out with other offsets of variables of other known values it seems;

a4a4 = 0

e198 = 1

cfc4 = 5

aba0 = 30

a4c4 = 3600

Thus blank_state reference in .data (0000d7d0 0000e198) needs changing from e198 to a4a4 and thus the default value becomes a zero and no more German language as default. yay.

If anyone understands how these values come about I would love to know.

Comments

blog comments powered by Disqus