Release of ‘fwtool’ – firmware image manipulation tool

This is the initial public release of my ‘fwtool’ firmware manipulation tool.  The utility can be used to ‘unpack’ a firmware update “.bin” file into the component pieces (kernel, rootfs, (optional)wifi firmware), or to ‘pack’ these files back into a “.bin” firmware update file.

Here is a link to the code (source code, Linux x86, MacOS x86 binaries inside): fwtools_20100826c.tgz

WARNING: Patching/modifying firmware is not for everyone!  You could very easily BRICK your iSpot if you make a mistake!  Also, loading custom/patched firmware into your iSpot will likely VOID your warranty!  Proceed with caution!

The simplest use case is to unpack the “.bin” file to a directory which will contain the component files.  For example (use “-unpack infile.bin outdir” args):

$ ./fwtool -unpack iSpot_Software_080510.bin 080510_expanded
Wrote '080510_expanded/kernel.bin' successfully
Wrote '080510_expanded/rootfs.bin' successfully
Wrote '080510_expanded/wifi.bin' successfully
Wrote '080510_expanded/fwinfo.txt' successfully

“kernel.bin” is a Linux compressed kernel image (with ‘header app’ that decompresses it) targetted for an ARM CPU.

“rootfs.bin” is a JFFS2 root filesystem image (“kernel.bin” and “rootfs.bin” go together)

“wifi.bin” (not always part of “.bin” file) contains the firmware for the WiFi daughterboard. It is a Linux compressed kernel image (with built-in initrd ramdisk) targetted for a MIPS CPU.

At this point, you can inspect/patch/replace files in the output directory.  Once you are finished, you can pack them back up into a new “.bin” file.  For example (use “-pack indir outfile.bin” args): 

$ ./fwtool -pack 080510_expanded iSpot_Software_080510_new.bin
Loaded '080510_expanded/fwinfo.txt' successfully
Loaded '080510_expanded/kernel.bin' successfully
Loaded '080510_expanded/rootfs.bin' successfully
Loaded '080510_expanded/wifi.bin' successfully
Wrote iSpot_Software_080510_new.bin successfully

As described in “Why don’t firmware ‘downgrades’ work on the iSpot?“, the iSpot will refuse to install a firmware “.bin” file if the “svn version” is less than or equal to the current firmware’s version, or if the kernel/rootfs md5sum is found in a ‘blacklist’ table in the current firmware.

In order to allow for downgrading to old/blacklisted software, I’ve added a couple of options to the “-pack” process:

  • -svn-ver #### : Sets the output “.bin” file’s “svn version” value to “####”
  • -tweak-md5 : If specified, fwtool will modify the kernel/rootfs images in such a way that their md5sums will be different. This will allow them to get past the ‘blacklist’ test.

 

So, in order to modify an ‘illegal’ (old/blacklisted) “.bin” file in such a way that it will be accepted by the iSpot, first unpack the “.bin” to a directory.  Then, pack the directory back into a new “.bin” – specifying “-svn-ver ####” with a value that is larger than the currently running firmware’s version, and “-tweak-md5”:

$ ./fwtool -unpack iSpot_Software_080510.bin 080510_expanded
Wrote '080510_expanded/kernel.bin' successfully
Wrote '080510_expanded/rootfs.bin' successfully
Wrote '080510_expanded/wifi.bin' successfully
Wrote '080510_expanded/fwinfo.txt' successfully

$ ./fwtool -pack -svn-ver 1822 -tweak-md5 080510_expanded iSpot_Software_080510_allow_downgrade.bin
Loaded '080510_expanded/fwinfo.txt' successfully
Loaded '080510_expanded/kernel.bin' successfully
Loaded '080510_expanded/rootfs.bin' successfully
Loaded '080510_expanded/wifi.bin' successfully
Wrote iSpot_Software_080510_allow_downgrade.bin successfully

Disclaimer: information on this site is for educational purposes only, and intended to help iSpot owners experiment with their own devices. I do not condone any hacking for illegal purposes, such as stealing service, etc.

This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Release of ‘fwtool’ – firmware image manipulation tool

  1. Pingback: iSpot – Updates, Firmware Versions and more – iSpot Unrestricted

  2. Pingback: iSpot firmware download image file format | Hacking the iSpot

  3. lid says:

    That’s super awesome that you were able to figure out how to unpack it… mad props to you.

  4. Pingback: [PROJECT] M9 firmware extraction - Page 5 - Meizu Me

Leave a Reply