Wanna see this logo while booting your 2.6 kernel? Click here!

10.10.2007 09:17

HOWTO extract FON firmware archives (.fon)


Since yesterday I'm trying to extract FON firmware files (ending with .fon) to have a look at the internals of these routers.
Doing this isn't that easy, because it isn't documented anywhere (at least I haven't found useful information about this), so I started at Stefan's Fonera Hacking website and found a script called defon.sh which does basically extract the embedded tar.gz archive out of the fon image file:
tuxx@vi-edv003:~/fonfw$ ./defon.sh fonera_0.7.1.5.fon >fonera.tar.gz
Upgrade contains a new firmware
tuxx@vi-edv003:~/fonfw$
After "defoning" the .fon file, you'll get a file called "fonera.tar.gz" which can now easily be extracted:
tuxx@vi-edv003:~/fonfw$ tar xzf fonera.tar.gz
tuxx@vi-edv003:~/fonfw$ ls
defon.sh  fonera.tar.gz  fonera_0.7.1.5.fon  hotfix  rootfs.squashfs  upgrade
tuxx@vi-edv003:~/fonfw$
As you can see, a file called "rootfs.squashfs" got extracted. All my attempts to either `mount` it or `unsquashfs` it failed, but after a lot of googling, I found this site which talks about different ways of extracting specific squashfs files and the last mentioned method with the help of the Firmware Modification Kit finally worked!
At first, you'll have to download the firmware modkit archive and extract it:
tuxx@vi-edv003:~/fonfw$ wget -q http://download.berlios.de/firmwaremodkit/firmware_mod_tools_prebuilt.tar.gz
tuxx@vi-edv003:~/fonfw$ mkdir firmware_mod_tools
tuxx@vi-edv003:~/fonfw$ tar -x -C firmware_mod_tools -f firmware_mod_tools_prebuilt.tar.gz
tuxx@vi-edv003:~/fonfw$
Now you can use the script "unsquashfs-lzma" for SquashFS v3.0 filesystems to finally extract the archive:
tuxx@vi-edv003:~/fonfw$ firmware_mod_tools/src/squashfs-3.0/unsquashfs-lzma rootfs.squashfs
Reading a different endian SQUASHFS filesystem on rootfs.squashfs

created 330 files
created 53 directories
created 145 symlinks
created 0 devices
created 0 fifos
tuxx@vi-edv003:~/fonfw$
The generated directory "squashfs-root" now contains the contents of the FON firmware:
tuxx@vi-edv003:~/fonfw$ ls squashfs-root/
bin  dev  etc  jffs  lib  mnt  proc  rom  sbin  sys  tmp  usr  var  www
tuxx@vi-edv003:~/fonfw$

Happy hacking ;)