# Reverse Trendnet TS-S402 firmware

## Downloading the firmware from the vendor webpage

First, we need to download the firmware from the vendor webpage. I downloaded the 2015 version:

```
wget http://downloads.trendnet.com/TS-S402/firmware/FW_TS-S402(2.00.13).zip
```

{% embed url="<http://downloads.trendnet.com/TS-S402/firmware/>" %}

![](/files/-MYoer5xPchqGLHvFdU2)

Next, unzip the firmware file:

```
unzip FW_TS-S402\(2.00.13\).zip
```

![](/files/-MYofPWtqPjqhFOAdhja)

## Inspecting the binary files

Using **file** command we can get some information from the firmware binary files:

```
file REMOTE_PACKAGE_2_30.bin
file TS-S402_FW_2_00_13.bin
```

![](/files/-MYofquhIpsUYNFe7h6d)

Or not :face\_with\_symbols\_over\_mouth:&#x20;

![](/files/-MYogAKjZRwoI-y1Q14n)

Let's using binwalk - our best friend :sunglasses:&#x20;

```
binwalk TS-S402_FW_2_00_13.bin
```

![](/files/-MYogY8YVwjEMXgZjDMx)

We can observe a lot of LZMA data, however, we got an interesting gzip compressed file as well. From this point, we can use the **-x option to ignore LZMA compression** and extract only the gzip file. Something like this:

{% hint style="success" %}
binwalk **-ex lzma** TS-S402\_FW\_2\_00\_13.bin

-**e:** extraction option\
\&#xNAN;**-x:** ignore option<br>
{% endhint %}

![](/files/-MYohT3oaQ_htfJYAw9N)

Accessing the \_TS-S402-FW\... folder, we can observe two files:

![](/files/-MYoi8JKW1Z9-gjit1Bf)

```
file 20                    
20: POSIX tar archive (GNU)
```

Ok, **20** file is another compressed file. Let's renaming it and unarchiving it.

```
mv 20 20.tar 
tar -xvf 20.tar
```

![](/files/-MYoiVZ4nnyyO2PuhJ0V)

Yeah dude, it was a strong journey! :sunglasses:&#x20;

## Mount the filesystem

```
mkdir sqsh
sudo mount rootfs.armeb.squashfs ./sqsh/ -t squash fs -o loop
```

If you got an error, don't worry about that!

![](/files/-MYomBEsMuf4x4I8nvbW)

If we look at the hexadecimal, we can see the file format:

```
cat rootfs.armeb.squashfs | xxd | less
```

![](/files/-MYoo0BdtTwIe_MG90sS)

**Install**: <https://github.com/devttys0/sasquatch>

and

```
./sasquatch rootfs.armeb.squashfs 
ls
```

## References

{% embed url="<http://www.devttys0.com/2011/08/extracting-non-standard-squashfs-images/>" %}

{% embed url="<https://github.com/project-magpie/jffs2dump>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-trendnet-ts-s402-firmware.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.