How do you extract an ecram_sto.bin?

Started by LightworkerNaven, November 15, 2012, 10:41:20 PM

Previous topic - Next topic

LightworkerNaven

Hey, I JTAGed my modem and pulled the ecram_sto.bin file off of it and firmware mod kit says it couldn't find a supported file system.  Do you have any tips on properly extracting ecram_sto.bin in case I did it wrong, or using firmware mod kit to extract it?

-----------
./extract-ng.sh ecram_sto.bin ./ecram_sto
Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Scanning firmware...

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------

Extracting 0 bytes of  header image at offset 0
ERROR: No supported file system found! Aborting...

Jeremy Collake

You pulled out a ROM image, which can be a lot different from a firmware image, but does have its filesystem and component parts, such as the kernel image and boot loader. These could be extracted... but not with the firmware mod kit, it really isn't designed for that. You could try it, but if the -ng scripts don't work, then you'll need to do a proper manual analysis. Dis-assembly with IDA may be of assistance for analysis of the parts that are code.
Software Engineer. Bitsum LLC.

LightworkerNaven

Quote from: Jeremy Collake on November 16, 2012, 02:33:27 AM
You pulled out a ROM image, which can be a lot different from a firmware image, but does have its filesystem and component parts, such as the kernel image and boot loader. These could be extracted... but not with the firmware mod kit, it really isn't designed for that. You could try it, but if the -ng scripts don't work, then you'll need to do a proper manual analysis. Dis-assembly with IDA may be of assistance for analysis of the parts that are code.

The way I did it was take the portion that had ecram_sto.bin in it.  (Starting at the code after the last bunch of FFFFFFFFFFFFFFFFFFFF and ending at the code that happens before the next FFFFFFFFFFFFFFFFFF starts.)  I used HXD to grab that.  As long as it isn't a chunk of null bytes, its code.  Is it safe to say that I grabbed the file properly from the dump?  Do you mean that the firmware image is different as it isn't flashed directly, or do you mean its different as a firmware image isn't the full dump?  ecram_sto.bin is the firmware file, correct?

Also, I tried using IDA, but it couldn't find its insertion point, so it had me look at it and hit "c" for the lines that have code in them.  I started at the top and it expanded it to code, but some lines didn't expand or it asked me if it should be expanded directly.  IDA always confused me as I'm a bit of a beginner when it comes to OP codes and Hex, but I know how to program in some human readable languages.  Any chance you could help me out by looking at my dump for me and extracting the file if I'm doing it wrong?  I want to see if Firmware Mod Kit can extract it when its properly extracted.  I grabbed the dump from the stock firmware of a CG3000D unit and its for the modem I'm only using to build this software, so it can be sent through a PM or made public.  It doesn't matter.

Jeremy Collake

The ROM image can consist of dynamically created portions or static portions not present in a firmware image. Further, the firmware image can be (but isn't always) split apart and put into different areas of the ROM. Yes, using IDA requires expertise. This isn't something I have any easy answer for, it requires a lot of work and investigation, for a device I don't own, use, have, or need ;p.
Software Engineer. Bitsum LLC.

mbetter95

It will successfully handle many more firmware images than the original script and tools. I believe that extraction/rebuilding of the DD-WRT web UI is now possible as well.
[url=http://www.actualtests.com/]www.actualtests.com[/url]
[url=https://en.wikipedia.org/wiki/APC]https://en.wikipedia.org/wiki/APC[/url]