Reverse Trendnet TS-S402 firmware

Start reversing Trendnet TS-S402 firmware device.

Downloading the firmware from the vendor webpage

First, we need to download the firmware from the vendor webpage. I downloaded the 2015 version:

wget http://downloads.trendnet.com/TS-S402/firmware/FW_TS-S402(2.00.13).zip

Next, unzip the firmware file:

unzip FW_TS-S402\(2.00.13\).zip

Inspecting the binary files

Using file command we can get some information from the firmware binary files:

file REMOTE_PACKAGE_2_30.bin
file TS-S402_FW_2_00_13.bin

Or not 🤬

Let's using binwalk - our best friend 😎

binwalk TS-S402_FW_2_00_13.bin

We can observe a lot of LZMA data, however, we got an interesting gzip compressed file as well. From this point, we can use the -x option to ignore LZMA compression and extract only the gzip file. Something like this:

binwalk -ex lzma TS-S402_FW_2_00_13.bin

-e: extraction option -x: ignore option

Accessing the _TS-S402-FW... folder, we can observe two files:

file 20
20: POSIX tar archive (GNU)

Ok, 20 file is another compressed file. Let's renaming it and unarchiving it.

mv 20 20.tar
tar -xvf 20.tar

Yeah dude, it was a strong journey! 😎

Mount the filesystem

mkdir sqsh
sudo mount rootfs.armeb.squashfs ./sqsh/ -t squash fs -o loop

If you got an error, don't worry about that!

If we look at the hexadecimal, we can see the file format:

cat rootfs.armeb.squashfs | xxd | less

Install: https://github.com/devttys0/sasquatch

and

./sasquatch rootfs.armeb.squashfs
ls

References