Huawei EchoLife CPE Firmware Data Structure - Unpack and Repack

DO THIS WITH CAUTIOUS, DON'T CONTINUE IF YOU DON'T KNOW WHAT YOU ARE DOING !!!

I'M NOT RESPONSIBLE IF YOU HARM YOUR CPE DEVICE !!!

To make a custom firmware, you need to know the data structure of the firmware bin file.

The sample of the firmware hex is:

EB49 000E 5A5A A5A5 0086AFE4 000 102 0104 000200
EB49 is the crc16 (xmodem) from the whole file starting from 000E > end
000E is a common number identifier (don't change)
5A5A A5A5 is a common number identifier for the beginning of a new file (don't change)
0086AFE4 is the file size in hex
000 102 0104 000200 is the code of your CPE device (is the common for the same device type)

Using hex editor program like Hex Workshop, try to find the hex sequence 5A5A A5A5 which will indicate the beginning of each file inside the firmware, and of course the end of the previous file.

The structure of each file identified by the following hex:

5A5A A5A5 1000 000000 1CA374 2E97 0000
1000 is a common identifier for the file type, which means keep it the same for the same file
000000 is a common number identifier (don't change)
1CA374 is the identifier of the file size starting from the first 4 zeros 0000 > the end of the single file
2E97 is the crc16 (xmodem) from the signle file from the first 4 zeros 0000 > the end of the single file
0000 is a common number identifier (don't change)

This is a sample for the first identifier hex of a firmware file:

EB49 000E
5A5A A5A5 0086AFE4 0001 0201 0400 0200 V100R001LBYC10B031
5A5A A5A5 1000 000000 1DACB2 0329 0000 apps.7z .............
5A5A A5A5 1208 000000 081F4C 7444 0000 microcode.blob .............
5A5A A5A5 1500 000000 067FEE 7247 0000 vxWorks.7z .............
5A5A A5A5 1201 000000 000111 122E 0000 operatorconfig.txt .............
5A5A A5A5 1202 000000 000F8C B441 0000 operatorcsspara.cfg .............
5A5A A5A5 1206 000000 0006A1 A3E5 0000 ss1130_5M_usb.sh .............
5A5A A5A5 1207 000000 00069F 9FE8 0000 ss1130_10M_usb.sh .............
5A5A A5A5 1100 000000 000184 5C55 00 00 bootLoader.bin .............
5A5A A5A5 1400 000000 04DAB0 7F7B 0000 bootrom.bin .............
5A5A A5A5 0100 000000 0107D2 3E65 0000 .............
5A5A A5A5 0203 000000 010000 0DD5 0000 ubootpam.conf .............
5A5A A5A5 0202 000000 00415A 3E72 0000 defaultcfg.xml .............
5A5A A5A5 0500 000000 0D1B1F 479D 0000 .............
5A5A A5A5 0000 000000 460094 F675 0000 qshs-rootfs .............

To know how to generate crc16 xmodem:
  • open a file in Hex Workshop
  • click on Tools > Generate Checksum...
  • select Custom CRC > click on Custom CRC
  • select 16bit CRC
  • Type 1021 in the Polynomial
  • Type 0000 in the Initial Value
  • unselect both In and Out Reflections
  • type 0000 in the XOR Out
  • click on Generate

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)