Another option could be running it under qemu, the decompression-part that is, should be fairly generic MIPS-code. The firmware is compressed, and I have had no success brute-force inflating it, so I may have to start reverse-engineering the bootloader just to get to the uncompressed firmware. I’m now in the possession of the unencrypted firmware for airport express, but still there are a lot of stuff remaing. Here is a short video when I’m detaching the IC:Īfter desoldering I glued it to a breadboard and hooked up some wires, this was a bit tricky as this is quite small.Īfter everything was hooked up, I attached it to my Bus Pirate and after a lot of trial and error managed to communicate with the chip.įinally i wrote this small python-script that dumped the content of the chip. Everybody knows I’m a real ebay-whore, so I went to ebay and ordered this excellent hakko rework-station clone (YIHUA 852D ). I disassembled it and found out that the flash was AT45DB321B, which is nice because Atmel keeps their datasheet public, the not so good news was that it was BGA-mounted and my old soldering station wasn’t up for this. The main issue with reversing apples firmwares for these access points is that they are encrypted and the airport express decrypts the firmware when flashing so you can’t really do anything fun with the firmware-update files.Ī time back I posted on twitter that I needed a broken airport expresss! I go really lucky, a friend of mine saw the tweet and gave me his broken airport. Getting linux/openwrt running on this would be wicked cool. The second and more important part, at least for me, is that it is almost identical to a wrt54g plus it adds usb and sound-card. The first is that within this firmware are the private Airtunes keys. Reverse engineering the Airport Express Part 1įor quite some time I’ve wanted to reverse engineer the airport express base station. Unfortunately the link to the key at the end is a dead link. I've pieced in some photos using as well. Here's a series about this with an airport express, it's taken from this blog: but i will copy and paste the whole thing here because i don't trust this blog to stay online. When the device is running, you will get a decrypted firmware dump. Like others have said, you might have to take the hardware route, and physically connect a Bus Pirate or similar device to dump the firmware. What kind of encryption could have been used? Apple seems to use AES for Iphone and AppleTV firmware. Offset 35: Firmware Minor Version (8 bit signed) hex 63 => minor version 63 (aka x.63) Offset 34: Firmware Major Version (8 bit signed) hex 07 => major version 7 (aka 7.x) Offset 33: product ID (8 bit signed) hex 73 => product ID 115 Offset 2F: firmware format version (?) (8 bit signed) hex 2D => format 45 (7.5.x firmwares have format version 44, 7.7.x firmwares have format version 46) Offset 20-2D: static string APPLE-FIRMWARE Offset 16-1F: checksum or size for following part? Offset 15: Firmware Minor Version (8 bit signed) hex 63 => minor version 63 (aka x.63) Offset 14: Firmware Major Version (8 bit signed) hex 07 => major version 7 (aka 7.x) Offset 13: product ID (8 bit signed) hex 73 => product ID 115 Offset F: firmware format version (?) (8 bit signed) hex 2D => format 45 (7.5.x firmwares have format version 44, 7.7.x firmwares have format version 46) They seem to be encrypted: $ binwalk -H 7.6.3.basebinaryĠ 0x0 High entropy data, best guess: encrypted, size: 5673944, 0 low entropy blocksĮxamining different firmware files revealed their common structure. I downloaded all 3 versions and used binwalk (v1.2.2-1) on them. įor the Airport Express (model A1392, productID 115, see WikiDevi, Teardown by Rogue Amoeba) there are 3 firmware versions: 7.6.2, 7.6.3 and 7.6.4 (current). Firmware files can be downloaded with the help of ~/Library/Application\ Support/Apple/AirPort/Firmware/version.xml which contains all products and their available firmware versions. Apple provides firmware updates for their Airport products through 'Airport Utility'.
0 Comments
Leave a Reply. |