Reverse Trendnet TS-S402 firmware

@sirpedrotavares seguranca-informatica.pt 0xSI_f33d

Search…

Start reversing Trendnet TS-S402 firmware device.

Downloading the firmware from the vendor webpage
First, we need to download the firmware from the vendor webpage. I downloaded the 2015 version:
1
wget http://downloads.trendnet.com/TS-S402/firmware/FW_TS-S402(2.00.13).zip
Copied!
Next, unzip the firmware file:
1
unzip FW_TS-S402\(2.00.13\).zip
Copied!
Inspecting the binary files
Using file command we can get some information from the firmware binary files:
1
file REMOTE_PACKAGE_2_30.bin
2
file TS-S402_FW_2_00_13.bin
Copied!
Or not 🤬
 
Let's using binwalk - our best friend 😎
 
1
binwalk TS-S402_FW_2_00_13.bin
Copied!
We can observe a lot of LZMA data, however, we got an interesting gzip compressed file as well. From this point, we can use the -x option to ignore LZMA compression and extract only the gzip file. Something like this:
binwalk -ex lzma TS-S402_FW_2_00_13.bin
-e: extraction option
-x: ignore option

Accessing the _TS-S402-FW... folder, we can observe two files:
1
file 20                    
2
20: POSIX tar archive (GNU)
Copied!
Ok, 20 file is another compressed file. Let's renaming it and unarchiving it.
1
mv 20 20.tar 
2
tar -xvf 20.tar
Copied!
Yeah dude, it was a strong journey! 😎
 
Mount the filesystem
1
mkdir sqsh
2
sudo mount rootfs.armeb.squashfs ./sqsh/ -t squash fs -o loop
Copied!
If you got an error, don't worry about that!
If we look at the hexadecimal, we can see the file format:
1
cat rootfs.armeb.squashfs | xxd | less
Copied!
Install: https://github.com/devttys0/sasquatch​
and
1
./sasquatch rootfs.armeb.squashfs 
2
ls
Copied!
References
​

Reverse TP-Link Router TL-WR841N

Full emulate Netgear WNAP320

Last modified 5mo ago

Copy link

Contents

Downloading the firmware from the vendor webpage

Inspecting the binary files

Mount the filesystem

References