Original firmware contains 2 parts:

  • Linux kernel with initrd (root fs)
  • SquashFS image (/lib and /usr)

Split firmware

First you need to find string “hsqs” in firmware. It's start part of SquashFS image.
Use Far Manager under Windows. It's easiest way. :-)
Press F3 to view file, F4 to switch to HEX mode and F7 to search “hsqs” string.

You see 0x260000 address. It's hex offset to SquashFS image. For humans it means: 2432K. It's standart offset, so I think you don't need to find it again.

So now we can split kernel+initrd and SquashFS image:

dd if=DNS-300_runtime_v1.00b013.bin of=bootpImage-1.00.b13 bs=1024 count=2432
dd if=DNS-300_runtime_v1.00b013.bin of=cramfs-1.00.b013.img bs=1024 skip=2432

Don't confuse about “cramfs…img” name. It's SquashFS image, not CramFS, but D-Link's developers uses filename “cram.img” and I follow that strange tradition. :-)

To have initrd image, you need to find initrd offset in bootpImage file.
Use Far Manager again and search string ramdisk, or ramdisk.bin

It's easy to see start part of initrd: 0xFD160 (1036640). I don't know good method to split files so precisely, so I've used stupid procedure:

split -b 1036640 bootpImage-1.00.b13
cat xab xac > initrd-1.00.b13.gz
gunzip initrd-1.00.b13.gz

Now you should have two files:

  • cramfs-1.00.b013.img
  • initrd-1.00.b13

View SquashFS

D-Link uses SquashFS 2.0 in their firmware, so you need Linux kernel with squashfs 2.0 support. I have compiled RPM for CentOS 4.3 i686 with SquashFS 2.0, so if you need I can share it.
To get access, you should mount image:

mkdir app-fs
mount -o loop -t squashfs cramfs-1.00.b013.img app-fs

View initrd

mkdir initrd-100
mount -o loop initrd-1.00.b13 initrd-100
howto/unpack_dlink_firmware.txt · Last modified: 2006/08/12 10:19 by sergeyzh
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0