Just to make sure it is a firmware image instead of a zip file:
to check the content of file and see whether there is anything of interest
from the strings output, we can see there is kernel, U-Boot bootloader and what seems to be configurations which hints that the there might be a Linux based filesystem.
A quick look at the hexdump reveals what might be the model which this firmware is for, which is MT7620-N. Other than that, there is nothing interesting.
binwalk
is able to identify two uImage headers, one for U-Boot (no compression) and the other for the os kernel (LZMA with property 0x6d). Followed by the LZMA compressed data, there are a list of xz compressed data sections reported by binwalk
, which might be the obfuscated or encrypted filesystem.
with the output of binwak
, we go back to the output of the hexdump. This time, we are going to take a look at the content at the end of the kernel image and at the beginning of the xz archives.
From the screenshot we can clearly see there is a squashfs header in the firmware, wonder why binwalk is not picking this up.
Check the squashfs manually and see if there are anything interesting.
and try the unsquashfs
from the squashfs project:
It seems like the properties in the header are all messed up. Judging from the reported version together with all the available versions of squashfs as well as the datetime this firmware is created, an educated guess is that the version property is masked by 0xffff.
Unmask the version with vim
and try again:
Since we can clearly see the xz headers in the firmware hexdump, it is very likely that the utility can not locate the data properly with the metadata in the header section. Take a look at the output of the hexdump again, it seems like the inode_count
and compression_id
sections are also masked. unmask these two sections as well:
However, the extraction failed again with another error message. After side to side comparison between the squashfs header and the Squashfs Binary Format. It seems like while the flags
field (0x06C0) indicates there is a compression options
section in the squashfs header, it is actually not included. So change this to 0x02C0 and try again: