# Reverse Trendnet TS-S402 firmware ## Downloading the firmware from the vendor webpage First, we need to download the firmware from the vendor webpage. I downloaded the 2015 version: ``` wget http://downloads.trendnet.com/TS-S402/firmware/FW_TS-S402(2.00.13).zip ``` {% embed url="" %} ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYoer5xPchqGLHvFdU2%2Fimage.png?alt=media\&token=3111394c-7e6d-4ead-bfb7-a6a53b9387f2) Next, unzip the firmware file: ``` unzip FW_TS-S402\(2.00.13\).zip ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYofPWtqPjqhFOAdhja%2Fimage.png?alt=media\&token=ed9d4896-66ed-4a25-a064-abbfe5a63246) ## Inspecting the binary files Using **file** command we can get some information from the firmware binary files: ``` file REMOTE_PACKAGE_2_30.bin file TS-S402_FW_2_00_13.bin ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYofquhIpsUYNFe7h6d%2Fimage.png?alt=media\&token=ea5af5dc-1a77-4965-b12e-8b2517fef5a5) Or not :face\_with\_symbols\_over\_mouth: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYogAKjZRwoI-y1Q14n%2Fimage.png?alt=media\&token=59f16bc6-4244-4d28-beaf-5479a88fa5b5) Let's using binwalk - our best friend :sunglasses: ``` binwalk TS-S402_FW_2_00_13.bin ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYogY8YVwjEMXgZjDMx%2Fimage.png?alt=media\&token=99f1529e-0c73-4bbb-b223-30e7a114bdad) We can observe a lot of LZMA data, however, we got an interesting gzip compressed file as well. From this point, we can use the **-x option to ignore LZMA compression** and extract only the gzip file. Something like this: {% hint style="success" %} binwalk **-ex lzma** TS-S402\_FW\_2\_00\_13.bin -**e:** extraction option\ \&#xNAN;**-x:** ignore option
{% endhint %} ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYohT3oaQ_htfJYAw9N%2Fimage.png?alt=media\&token=9fb97582-01cf-446e-bc41-5ab064b90815) Accessing the \_TS-S402-FW\... folder, we can observe two files: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYoi8JKW1Z9-gjit1Bf%2Fimage.png?alt=media\&token=3e48f0ce-c824-413f-854a-dd9d00113f01) ``` file 20 20: POSIX tar archive (GNU) ``` Ok, **20** file is another compressed file. Let's renaming it and unarchiving it. ``` mv 20 20.tar tar -xvf 20.tar ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYoiVZ4nnyyO2PuhJ0V%2Fimage.png?alt=media\&token=80496e3e-48c0-49c3-b419-300cb9c30bb7) Yeah dude, it was a strong journey! :sunglasses: ## Mount the filesystem ``` mkdir sqsh sudo mount rootfs.armeb.squashfs ./sqsh/ -t squash fs -o loop ``` If you got an error, don't worry about that! ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYomBEsMuf4x4I8nvbW%2Fimage.png?alt=media\&token=a76fdd8a-8a43-4134-b0ff-76b1ca6ec3ef) If we look at the hexadecimal, we can see the file format: ``` cat rootfs.armeb.squashfs | xxd | less ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MYoeHxetrXrxC6o-2Mp%2F-MYoo0BdtTwIe_MG90sS%2Fimage.png?alt=media\&token=e8689b95-cd13-4bae-93cd-d523715661e4) **Install**: and ``` ./sasquatch rootfs.armeb.squashfs ls ``` ## References {% embed url="" %} {% embed url="" %}