DGND3700 V1 Transmission Firmware Reverse Decompile 3
Setting NVRAM defaults
For whatever bizarre reason they live in libnvram.so
So to disable the httpd wizard running on a NVRAM reset and setting everything to German, it turns out the magic is the variable blank_state which gets set to 1 and needs changing to a 0 within this binary.
This is the output from readelf from libnvram.so
Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .reginfo MIPS_REGINFO 000000d4 0000d4 000018 18 A 0 0 4 [ 2] .dynamic DYNAMIC 000000ec 0000ec 0000b8 08 A 5 0 4 [ 3] .hash HASH 000001a4 0001a4 000290 04 A 4 0 4 [ 4] .dynsym DYNSYM 00000434 000434 0005f0 10 A 5 2 4 [ 5] .dynstr STRTAB 00000a24 000a24 000559 00 A 0 0 1 [ 6] .rel.dyn REL 00000f80 000f80 005f58 08 A 4 0 4 [ 7] .text PROGBITS 00006ee0 006ee0 002e80 00 AX 0 0 16 [ 8] .MIPS.stubs PROGBITS 00009d60 009d60 000200 00 AX 0 0 4 [ 9] .rodata PROGBITS 00009f60 009f60 006cf8 00 A 0 0 16 [10] .data PROGBITS 00021000 011000 005788 00 WA 0 0 16 [11] .got PROGBITS 00026790 016790 0000fc 04 WAp 0 0 16 [12] .bss NOBITS 00026890 01688c 064020 00 WA 0 0 16 [13] .comment PROGBITS 00000000 01688c 000048 00 0 0 1 [14] .mdebug.abi32 PROGBITS 00000048 0168d4 000000 00 0 0 1 [15] .pdr PROGBITS 00000000 0168d4 0006c0 00 0 0 4 [16] .shstrtab STRTAB 00000000 016f94 000082 00 0 0 1
From https://www.codeproject.com/articles/70302/redirecting-functions-in-shared-elf-libraries
.text – contains the module code .data – initialized variables .bss – non-initialized variables .symtab – the module symbols: functions and static variables .strtab – the names for module symbols .rel.text –the relocation for functions (for statically linked modules) .rel.data – the relocation for static variables (for statically linked modules) .rel.plt – the list of elements in the PLT (Procedure Linkage Table), which are liable to the relocation during the dynamic linking (if PLT is used) .rel.dyn – the relocation for dynamically linked functions (if PLT is not used) .got – Global Offset Table, contains the information about the offsets of relocated objects .debug –the debug information
This nicely lets you see the string table (.rodata) (but the address looking hex isnt the address?!)
readelf -z -p 9 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so
Hex view where can see offset is at 0xd7d0 for blank_state variable in .rodata
readelf -z -x 9 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so | grep -C10 blank 0x0000d7c0 00000000 77616e5f 68776164 64723200 ....wan_hwaddr2. 0x0000d7d0 626c616e 6b5f7374 61746500 72756e5f blank_state.run_ 0x0000d7e0 77697a00 77697a5f 7070706f 655f7761 wiz.wiz_pppoe_wa
If a variable value was set to a string, this is set as the next bit of data after a null (\0), however integers are not. (some are though, thus presumably as strings?)
Poking about reveals something interesting in the .data (initialized variables), grepping the offset yields
readelf -z -x 10 ./DGND3800B-B/targets/DGND3700/fs.install/lib/libnvram.so | grep -C10 d7d0 0x000243d0 0000a898 0000a4a4 00000000 0000d7c4 ................ 0x000243e0 0000a000 00000000 0000d7d0 0000e198 ................ 0x000243f0 00000000 0000d7dc 0000a4a4 00000000 ................
Looking around at how this is set out with other offsets of variables of other known values it seems;
a4a4 = 0
e198 = 1
cfc4 = 5
aba0 = 30
a4c4 = 3600
Thus blank_state reference in .data (0000d7d0 0000e198) needs changing from e198 to a4a4 and thus the default value becomes a zero and no more German language as default. yay.
If anyone understands how these values come about I would love to know.
Comments
blog comments powered by Disqus
