Disassemble of a T-Sinus 154 Firmware

The firmware can be downloaded on the T-Com Webpages ready to upgrade the box. The Firmware is a zip file which can be extracted. The 0.81 firmware contains a single file called:

-rw-rw-rw- 1 flo mways 786442 Feb 27 2004 FW_154Komfort_V0.81.bin

From looking at the file it seems to be some zip files concatted. I used foremost with this pattern to split the file:

-rw-rw-r-- 1 flo mways 147867 Jan 25 21:15 00000000.zip -rw-rw-r-- 1 flo mways 430433 Jan 25 21:15 00000001.zip -rw-rw-r-- 1 flo mways 80502 Jan 25 21:15 00000002.zip

-rw-rw-r-- 1 flo mways 93996 Sep 10 2003 3890EndFW_1.0.4.3.arm -rw-rw-r-- 1 flo mways 812235 Jan 30 2004 PFS.IMG -rw-rw-r-- 1 flo mways 1251500 Jan 30 2004 SOHO.BIN

The 3890EndFW_1.0.4.3.arm seems to be a Prism 54 Firmware as i guess from this article as it shows:

0x00000080: 00000000 00000000 00000000 56657273 ............Vers 0x00000090: 696F6E20 312E302E 342E3320 6275696C ion 1.0.4.3 buil 0x000000A0: 74206F6E 20576564 204A756C 20313620 t on Wed Jul 16 0x000000B0: 31313A31 363A3239 20434553 54203230 11:16:29 CEST 20 0x000000C0: 30332062 7920696E 6C627569 6C644074 03 by inlbuild@t 0x000000D0: 69780000 5041434B 5041434B 5041434B ix..PACKPACKPACK 0x000000E0: D3F021E3 80FB8FE3 0000A0E1 C42F8FE2 Óð!ã.û.ã.. áÄ/.â

The PFS.IMG file is a pseudo read-only filesystem more like a tar. Fixed superblock and fixes size dentrys. I wrote a little programm readpfs.c to extrace the individual files from the PFS.IMG. The resulting files are:

www\images\hg_linien_grau.gif www\images\pic_b_back.gif www\images\pic_c_b.gif www\images\pic_c_bl.gif www\images\pic_c_br.gif www\images\pic_c_m.gif www\images\pic_c_menu.gif www\images\pic_c_menu_first.gif www\images\pic_c_menu_l.gif www\images\pic_c_menu_l_first.gif www\images\pic_c_ml.gif www\images\pic_c_mr.gif www\images\pic_c_product.jpg www\images\pic_c_sl.gif www\images\pic_c_sr.gif www\images\pic_h_t.gif www\images\pic_h_tl.gif www\images\pic_h_tr.gif www\images\pic_t_back.jpg www\images\button_alles_loeschen2.gif www\images\button_alles_loeschen.gif www\images\button_beenden2.gif www\images\button_beenden.gif www\images\button_loeschen2.gif www\images\button_loeschen.gif www\images\button_ok2.gif www\images\button_ok.gif www\images\button_ok_weiter2.gif www\images\button_ok_weiter.gif www\images\button_speichern2.gif www\images\button_speichern.gif www\images\button_zurueck2.gif www\images\button_zurueck.gif www\images\pic_c_m_first.gif www\images\pic_i_back.jpg www\images\pic_m_back.jpg www\images\button_ok_r.gif www\images\button_ok_r2.gif www\images\button_standard2.gif www\images\button_standard.gif www\images\pic_m_head.gif www\images\pic_m_marker.gif www\images\pic_c_haken.gif www\images\pic_b_154K.gif www\images\pic_hinweis.gif www\doc\t_wan_2.stm www\doc\i_laden.htm www\doc\login.htm www\doc\c_status_information.stm www\doc\i_status.htm www\doc\hcti_assistent_3.htm www\doc\wait_u.stm www\doc\wait.stm www\doc\b.htm www\doc\c_hilfsmittel.stm www\doc\i_hilfsmittel_datum.htm www\doc\c_start.stm www\doc\c_laden.stm www\doc\c_status.stm www\doc\tmp_m.css www\doc\t_sicherheit_f_z_ft.stm www\doc\c_netzwerk_wireless.stm www\doc\tools.txt www\doc\c_netzwerk_wan_pppoe.stm www\doc\h_assistent_2.htm www\doc\loginerr.stm www\doc\c_netzwerk_wan_dhcp.stm www\doc\hcti_start.htm www\doc\hcti_sicherheit_f_z_ft.htm www\doc\c_netzwerk_wan_static.stm www\doc\c_sicherheit_f_z_ft.stm www\doc\t_0_l_z_s_history.stm www\doc\tmp_i.css www\doc\c_sicherheit_wpa.stm www\doc\routine.txt www\doc\hwoption.stm www\doc\c_status_usb.stm www\doc\dhcp.stm www\doc\t_wan_1.stm www\doc\igd.xml www\doc\hcti_assistent_2a.htm www\doc\hcti_status_wlan.htm www\doc\hcti_sicherheit_f_z.htm www\doc\production.stm www\doc\hcti_status_information.htm www\doc\i_laden_s.htm www\doc\hcti_security.htm www\doc\t_sicherheit_f.stm www\doc\c_netzwerk_nat_einaus.stm www\doc\EMI_TEST.STM www\doc\m_laden.htm www\doc\qstatus.stm www\doc\hcti_sicherheit_f.htm www\doc\hcti_assistent_1.htm www\doc\t_assistent_3.stm www\doc\top_start_passwort.htm www\doc\hcti_sicherheit_f_t_regneu.htm www\doc\i_laden_w.htm www\doc\function.stm www\doc\h_passwort.htm www\doc\c_assistent_5.stm www\doc\h_start.stm www\doc\m_status.htm www\doc\tmp_t.css www\doc\i_start.htm www\doc\c_hilfsmittel_datum.stm www\doc\i_netzwerk_ddns.htm www\doc\hcti_sicherheit_f_t.htm www\doc\hcti_sicherheit_g_mac.htm www\doc\i_sicherheit_802t.htm www\doc\t_0_z_history.stm www\doc\c_assistent_1.stm www\doc\c_sicherheit_f_t_regneu.stm www\doc\c_laden_l.stm www\doc\tmp_c.css www\doc\t_sicherheit_a.stm www\doc\ban.stm www\doc\t_wan_2a.stm www\doc\hcti_sicherheit_g_wep.htm www\doc\hcti_status_internet.htm www\doc\t_z_sicherheit_f.stm www\doc\hcti_status_sicherheit.htm www\doc\h_status_wlan.htm www\doc\h_status_sicherheit.htm www\doc\hcti_status.htm www\doc\i_laden_l.htm www\doc\hcti_passwort.htm www\doc\routine3.txt www\doc\hcti_hilfsmittel.htm www\doc\hcti_start_passwort.htm www\doc\c_status_sicherheit.stm www\doc\hcti_status_internet_W.htm www\doc\t_0_master.stm www\doc\m_startseite.htm www\doc\c_sicherheit_f_t.stm www\doc\c_sicherheit_f_z_mac.stm www\doc\index.stm www\doc\h_assistent_2p.htm www\doc\h_assistent_2s.htm www\doc\c_status_internet.stm www\doc\hcti_assistent_2s.htm www\doc\hcti_netzwerk_wan.htm www\doc\i_status_sicherheit.htm www\doc\i_netzwerk_wds.htm www\doc\t_z_s_sicherheit.stm www\doc\c_sicherheit_g_mac.stm www\doc\t_0_z_ok_history.stm www\doc\c_netzwerk_nat_s.stm www\doc\c_status_wlan.stm www\doc\routine2.txt www\doc\c_sicherheit_f.stm www\doc\t_hilfsmittel_datum.stm www\doc\i_sicherheit_802r.htm www\doc\h_assistent_5.htm www\doc\t_0_z_s_history.stm www\doc\h_netzwerk_wds_new.htm www\doc\tmp_h.css www\doc\c_sicherheit_f_einaus.stm www\doc\h_status_internet.htm www\doc\t_0_z_ok_start.stm www\doc\i_netzwerk_nat_v.htm www\doc\hcti_hilfsmittel_datum.htm www\doc\t_0_z_start.stm www\doc\qstatus_main.stm www\doc\hcti_netzwerk.htm www\doc\h_assistent_2d.htm www\doc\hcti_sicherheit_802r.htm www\doc\h_hilfsmittel_reboot.htm www\doc\c_netzwerk_wds_new.stm www\doc\t_assistent_5.stm www\doc\c_hilfsmittel_firm.stm www\doc\c_sicherheit_g_wep.stm www\doc\m_sicherheit.htm www\doc\tmp_status.css www\doc\hcti_assistent_2d.htm www\doc\c_start_passwort.stm www\doc\i_sicherheit_a_802_b.htm www\doc\hcti_netzwerk_nat.htm www\doc\t_assistent_1.stm www\doc\i_netzwerk_nat_einaus.htm www\doc\h_sicherheit_g_wep.htm www\doc\i_netzwerk_wan_R.htm www\doc\i_assistent_1.htm www\doc\t_netzwerk_nat.stm www\doc\hcti_laden.htm www\doc\i_hilfsmittel_reboot.htm www\doc\t_assistent_2.stm www\doc\m_start_passwort.htm www\doc\m_netzwerk.htm www\doc\h_assistent_4.htm www\doc\hcti_hilfsmittel_reboot.htm www\doc\h_sicherheit_g_mac.htm www\doc\h_status.htm www\doc\routine4.txt www\doc\hcti_netzwerk_nat_a.htm www\doc\c_laden_w.stm www\doc\tmp_s.css www\doc\c_netzwerk_lan.stm www\doc\tmp_0_master.css www\doc\m_hilfsmittel.htm www\doc\t_0_trigger.stm www\doc\h_sicherheit_f_t_regneu.htm www\doc\hcti_assistent_4.htm www\doc\c_netzwerk_wds.stm www\doc\loginpserr.htm www\doc\c_sicherheit_a_wpa.stm www\doc\hcti_sicherheit_a_wpa.htm www\doc\c_sicherheit_f_z.stm www\doc\c_hilfsmittel_fern.stm www\doc\h_sicherheit.htm www\doc\h_assistent_3.htm www\doc\i_hilfsmittel_firm.htm www\doc\hcti_sicherheit_wpa.htm www\doc\hcti_sicherheit_f_d.htm www\doc\c_netzwerk_nat_a.stm www\doc\h_hilfsmittel_datum.htm www\doc\i_netzwerk_lan.htm www\doc\h_sicherheit_wpa.htm www\doc\c_hilfsmittel_reboot.stm www\doc\hcti_netzwerk_nat_v.htm www\doc\c_hilfsmittel_datum_server.stm www\doc\hcti_sicherheit_e_w.htm www\doc\i_sicherheit_f_u.htm www\doc\h_netzwerk_nat.htm www\doc\t_0_s_z_s_history.stm www\doc\h_sicherheit_e_w.htm www\doc\hcti_sicherheit_p.htm www\doc\c_sicherheit_802t.stm www\doc\hcti_sicherheit_f_h.htm www\doc\h_netzwerk_nat_einaus.htm www\doc\i_netzwerk_nat.htm www\doc\c_sicherheit_e_w.stm www\doc\c_sicherheit.stm www\doc\c_sicherheit_f_d.stm www\doc\hcti_sicherheit_802t.htm www\doc\top_laden.htm www\doc\t_0_trigger1.stm www\doc\i_netzwerk_nat_s.htm www\doc\hcti_hilfsmittel_datum_svr.htm www\doc\hcti_netzwerk_nat_s.htm www\doc\h_sicherheit_a_wpa.htm www\doc\c_netzwerk_nat.stm www\doc\top_sicherheit.htm www\doc\top_assistent.htm www\doc\hcti_netzwerk_wireless.htm www\doc\h_netzwerk_nat_ddns.htm www\doc\hcti_sicherheit_a_802.htm www\doc\h_netzwerk_nat_upnp.htm www\doc\top_netzwerk.htm www\doc\hcti_sicherheit_f_u.htm www\doc\i_sicherheit.htm www\doc\verinfo.txt www\doc\top_status.htm www\doc\top_hilfsmittel.htm www\doc\i_assistent_2.htm www\doc\h_sicherheit_802t.htm www\doc\h_status_information.htm www\doc\m_assistent.htm www\doc\h_sicherheit_802r.htm www\doc\t_assistent_4.stm www\doc\c_sicherheit_802r.stm www\doc\i_sicherheit_f_z_pchinzu.htm www\doc\c_netzwerk_nat_v.stm www\doc\h_sicherheit_f_t_regneu.stm www\doc\c_assistent_2.stm www\doc\h_sicherheit_a_802.htm www\doc\i_sicherheit_f_h.htm www\doc\i_sicherheit_f_d.htm www\doc\i_sicherheit_f_t.htm www\doc\IGD_L.STM www\doc\igd.stm www\doc\igd_l3f.xml www\doc\igd_lcm.xml www\doc\igd_osf.xml www\doc\i_netzwerk_wireless.htm www\doc\igd_wcic.xml www\doc\igd_wdsl.xml www\doc\igd_wec.xml www\doc\igd_wic.xml www\doc\igd_wpc.xml www\doc\i_sicherheit_a_802.htm www\doc\igd_w.stm www\doc\igd_wc1.stm www\doc\igd_wc2.stm www\doc\i_status_information.htm www\doc\hcti_assistent_2.htm www\doc\c_sicherheit_f_u.stm www\doc\c_sicherheit_f_z_pchinzu.stm www\doc\h_sicherheit_f_einaus.htm www\doc\hcti_sicherheit_f_einaus.htm www\doc\hcti_netzwerk_wds.htm www\doc\i_sicherheit_f_z_mac.htm www\doc\hcti_sicherheit_a_wep.htm www\doc\h_netzwerk_wds.htm www\doc\h_sicherheit_f_z_ft.htm www\doc\h_netzwerk_nat_a.htm www\doc\c_sicherheit_p.stm www\doc\h_netzwerk_lan.htm www\doc\i_sicherheit_e_w.htm www\doc\h_netzwerk.htm www\doc\my_function.txt www\doc\h_netzwerk_nat_v.htm www\doc\i_sicherheit_f_z.htm www\doc\c_netzwerk.stm www\doc\h_netzwerk_nat_s.htm www\doc\h_sicherheit_f_z_mac.htm www\doc\h_sicherheit_f_z_pchinzu.stm www\doc\c_sicherheit_f_z_einaus.stm www\doc\h_sicherheit_f_z.htm www\doc\i_sicherheit_f_z_ft.htm www\doc\h_assistent_1.htm www\doc\h_sicherheit_f_u.htm www\doc\h_netzwerk_wan.htm www\doc\h_netzwerk_wireless.htm www\doc\h_sicherheit_f_t.htm www\doc\i_sicherheit_g_mac.htm www\doc\i_assistent_5.htm www\doc\i_sicherheit_g_wep.htm www\doc\i_sicherheit_wpa.htm www\doc\t_0_al_z_s_history.stm www\doc\h_sicherheit_f.htm www\doc\hcti_netzwerk_ddns.htm www\doc\i_sicherheit_f.htm www\doc\i_netzwerk_upnp.htm www\doc\i_netzwerk_nat_a.htm www\doc\hcti_netzwerk_nat_einaus.htm www\doc\i_passwort.htm www\doc\c_netzwerk_ddns.stm www\doc\i_sicherheit_f_z_einaus.htm www\doc\t_start_passwort.stm www\doc\top_startseite.htm www\doc\hcti_assistent_5.htm www\doc\i_hilfsmittel_datum_server.htm www\doc\i_sicherheit_a_wpa.htm www\doc\i_sicherheit_a_wep.htm www\doc\i_hilfsmittel_fern.htm www\doc\c_netzwerk_upnp.stm www\doc\i_sicherheit_f_t_regneu.htm www\doc\hcti_netzwerk_upnp.htm www\doc\hcti_sicherheit.htm www\doc\h_sicherheit_f_h.htm www\doc\i_hilfsmittel.htm www\doc\h_sicherheit_p.htm www\doc\i_hilfsmittel_datum_manuell.htm www\doc\hcti_netzwerk_lan.htm www\doc\i_assistent_4.htm www\doc\hcti_hilfsmittel_datum_man.htm www\doc\i_assistent_3.htm www\doc\i_sicherheit_p.htm www\doc\h_sicherheit_f_d.htm www\doc\i_0_master.htm www\doc\i_status_wlan.htm www\doc\c_assistent_2p.stm www\doc\h_sicherheit_f_z_pchinzu.htm www\doc\hcti_sicherheit_f_z_pchinzu.htm www\doc\hcti_sicherheit_f_z_mac.htm www\doc\i_status_internet.htm www\doc\h_sicherheit_f_z_einaus.htm www\doc\hcti_sicherheit_f_z_einaus.htm www\doc\h_laden.htm www\doc\h_hilfsmittel_datum_manuell.htm www\doc\i_start_passwort.htm www\doc\hcti_laden_w.htm www\doc\hcti_laden_l.htm www\doc\h_laden_l.htm www\doc\h_laden_w.htm www\doc\h_hilfsmittel_firm.htm www\doc\h_hilfsmittel_fern.htm www\doc\h_hilfsmittel.htm www\doc\hcti_hilfsmittel_firm.htm www\doc\hcti_hilfsmittel_fern.htm www\doc\h_hilfsmittel_datum_server.htm www\doc\c_hilfsmittel_datum_manuell.stm www\doc\hcti_netzwerk_wds_new.htm www\doc\c_sicherheit_a_802.stm www\doc\hcti_assistent_2p.htm www\doc\c_netzwerk_wan_R.stm www\doc\h_start_passwort.htm www\doc\i_assistent_2p.htm www\doc\i_sicherheit_f_einaus.htm www\doc\i_assistent_2s.htm www\doc\c_sicherheit_f_h.stm www\doc\i_assistent_2d.htm www\doc\t_assistent_2a.stm www\doc\i_netzwerk.htm www\cgi-bin\ac_control.exe www\cgi-bin\admz.exe www\cgi-bin\antenna_test.exe www\cgi-bin\aoaccadd.exe www\cgi-bin\aoaccdel.exe www\cgi-bin\aoschadd.exe www\cgi-bin\aoschdel.exe www\cgi-bin\aportadd.exe www\cgi-bin\aportdel.exe www\cgi-bin\aportfd.exe www\cgi-bin\asec.exe www\cgi-bin\aurlbk.exe www\cgi-bin\backup_config.bin www\cgi-bin\backup_log.exe www\cgi-bin\badsl.exe www\cgi-bin\bcable.exe www\cgi-bin\bdhcp.exe www\cgi-bin\bwtype.exe www\cgi-bin\clientfilter.exe www\cgi-bin\csetup_wan_fix.exe www\cgi-bin\fire_eb.exe www\cgi-bin\firewall_SPI.exe www\cgi-bin\hacker_prevention.exe www\cgi-bin\ipsec-sa.exe www\cgi-bin\log www\cgi-bin\login.exe www\cgi-bin\logout.exe www\cgi-bin\nat_sp.exe www\cgi-bin\pptp_c.exe www\cgi-bin\pptp_s.exe www\cgi-bin\qsetup_cable.exe www\cgi-bin\qsetup_time.exe www\cgi-bin\qsetup_wan_fix.exe www\cgi-bin\qsetup_wan_pppoe.exe www\cgi-bin\qstatusprocess.exe www\cgi-bin\restart.exe www\cgi-bin\restore.exe www\cgi-bin\setup_clientfilter.exe www\cgi-bin\setup_config_data.exe www\cgi-bin\setup_dmz.exe www\cgi-bin\setup_dns.exe www\cgi-bin\setup_firewall.exe www\cgi-bin\setup_fix_pat.exe www\cgi-bin\setup_lan.exe www\cgi-bin\setup_misc.exe www\cgi-bin\setup_pass.exe www\cgi-bin\setup_remote_mgmt.exe www\cgi-bin\setup_sch.exe www\cgi-bin\setup_snmp.exe www\cgi-bin\setup_specialapps.exe www\cgi-bin\setup_time.exe www\cgi-bin\setup_virtualserver.exe www\cgi-bin\setup_wan.exe www\cgi-bin\setup_wan_bridge.exe www\cgi-bin\setup_wan_dhcp.exe www\cgi-bin\setup_wan_fix.exe www\cgi-bin\setup_wan_modem.exe www\cgi-bin\setup_wan_pppoe.exe www\cgi-bin\snmp_community.exe www\cgi-bin\snmp_trap.exe www\cgi-bin\status.exe www\cgi-bin\statusprocess.exe www\cgi-bin\tdhcp.exe www\cgi-bin\tlog.exe www\cgi-bin\tmailtst.exe www\cgi-bin\tpppoe.exe www\cgi-bin\trenewip.exe www\cgi-bin\tswup.exe www\cgi-bin\tswupst.exe www\cgi-bin\upgrade.exe www\cgi-bin\upgrade_config.exe www\cgi-bin\upgrade_firm_browse.exe www\cgi-bin\wireless.exe www\cgi-bin\wireless_f.exe www\cgi-bin\wireless_info.exe www\cgi-bin\wireless_m.exe www\cgi-bin\wireless_mac.exe www\cgi-bin\wireless_ssid.exe www\cgi-bin\wiretype.exe www\cgi-bin\aadsl.exe www\cgi-bin\setup_ddns.exe www\cgi-bin\upnp_eb.exe www\cgi-bin\wireless_wep.exe www\cgi-bin\wireless_wpa.exe www\cgi-bin\wireless_e.exe www\cgi-bin\wireless1X.exe www\cgi-bin\setup_schxx.exe www\cgi-bin\emi_test.exe www\cgi-bin\tiny_del.exe www\cgi-bin\batmint.exe www\cgi-bin\ntp_setting.exe www\cgi-bin\nat_eb.exe www\cgi-bin\wds.exe www\cgi-bin\hw_opt.cgi www\cgi-bin\production.exe

The most interesting parts the .exe files are empty 0 byte files. The guess is that the OS or the Webserver just interprets them as jumps to internal routines. Also the webserver seems to be able to do SSI as some webpages show exec cmd includes.

The final file SOHO.BIN seems to be the real executable. From lookin at the binary the T-Sinus 154 uses a ADMTek 5120 CPU which is a Mips 4Kc CPU. It seems the Authors have used a lot Open Source Software:

0x000F1AA0: 6D2C2573 2025640A 00000000 633A2F67 m,%s %d.....c:/g 0x000F1AB0: 6E755F73 74756666 2F313534 4B6F6D66 nu_stuff/154Komf 0x000F1AC0: 6F72742F 736F7572 63652F66 69726D77 ort/source/firmw 0x000F1AD0: 6172652F 61702F68 74747064 2F687474 are/ap/httpd/htt 0x000F1AE0: 70642E63 00000000 68747470 643A2067 pd.c....httpd: g

0x000EFC50: 53484131 20706172 74206F66 2053534C SHA1 part of SSL 0x000EFC60: 65617920 302E382E 32622030 382D4A61 eay 0.8.2b 08-Ja 0x000EFC70: 6E2D3139 39380000 28313030 2563206C n-1998..(100%c l 0x000EFC80: 6F737329 0A000000 41707072 6F78696D oss)....Approxim

Here is a very similar device which has the exact same files in the firmware and seems to be quite similar. BBR-4MG. It seems our Baby is produced by Buffalo Tech Inc..

Disassembly of the T-Sinus 154 SE versions show that they are basically the same. Onyl the wireless seems to be replaced. Instead of a Prism54 not a Texas Instrument is assembled. Therefor the Wireless firmware image disappeared.