I’ve analyzed the structure of the “.bin” files used for firmware updates on the iSpot, and will document\/update my findings below.<\/p>\n
Here is a hex-dump of the beginning of a firmware update “.bin” file (this is from “iSpot_Software_080510.bin”):<\/p>\n
00000000 49 4d 57 2d 43 36 31 35 57 00 00 00 00 00 00 00 |IMW-C615W.......|\r\n00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000020 04 03 02 01 01 09 09 04 fa 06 00 00 07 00 00 00 |................|\r\n00000030 00 04 00 00 ec 96 11 00 c6 3d 6c 04 ad 30 9f 57 |.........=l..0.W|\r\n00000040 eb 68 2f c1 f3 9f da 48 ec 9a 11 00 00 00 52 00 |.h\/....H......R.|\r\n00000050 33 dd ab bd 0f da 5d 02 f2 db c1 5e 35 bb 61 7e |3.....]....^5.a~|\r\n00000060 ec 9a 63 00 72 73 16 00 d9 ed ae eb 3d 90 b8 87 |..c.rs......=...|\r\n00000070 9d 7e 10 93 a8 2d 52 4f 00 00 00 00 00 00 00 00 |.~...-RO........|\r\n00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n00000090 31 2e 31 2e 31 00 00 00 00 00 00 00 00 00 00 00 |1.1.1...........|\r\n000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\r\n000000c0 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................|<\/pre>\nHere is a description of the data at specific offsets:<\/p>\n
0000-001e :<\/strong> Text description of image file (“name”)<\/p>\n
001f-001f :<\/strong> I believe this is just a NULL terminator for the above string<\/p>\n
0020-0023 :<\/strong> Used by the flash_program application to determine byte order (big- vs little- endian) of the file.\u00a0 Should always be “04 03 02 01”.<\/p>\n
0024-0027 :<\/strong> Version number (“vpos”):\u00a0(“01 09 09 04” in this build: corresponds to “v1994”)<\/p>\n
0028-002b :<\/strong> SVN version number (“svn”): same as value stored in this image’s “\/etc\/version.svn”, stored as a little-endian 32-bit value<\/p>\n
002c-002c :<\/strong> Bitmask describing which ‘sub-files’ are contained in the .bin (“bintype”).<\/p>\n
If bit 0 is set (bitmask 0x01), then the image contains a KERNEL<\/em>.<\/p>\n
If bit 1 is set (bitmask 0x02), then the image contains a jffs2 root filesystem (ROOTFS<\/em>).<\/p>\n
If bit 2 is set (bitmask 0x04), then the image contains a WiFi firmware image (WIFI<\/em>).<\/p>\n
If bit 3 is set (bitmask 0x08), then the image contains an unknown 4th sub-file image (UNDEF).<\/p>\n
002d-002f : <\/strong>Unknown\/undefined<\/p>\n
KERNEL info:<\/em><\/p>\n
0030-0033 :<\/strong> Offset into .bin file to start of kernel image (if “bintype”\u00a0KERNEL<\/em> bit is set) (little-endian 32-bit)<\/p>\n
0034-0037 :<\/strong> Size of\u00a0kernel image (if “bintype”\u00a0KERNEL<\/em> bit is set)\u00a0(little-endian 32-bit)<\/p>\n
0038-0047 :<\/strong> MD5 hash of kernel image (if “bintype”\u00a0KERNEL<\/em> bit is set)<\/p>\n
ROOTFS info:<\/em><\/p>\n
0048-004b :<\/strong> Offset into .bin file to start of\u00a0jffs2 root filesystem\u00a0image (if “bintype”\u00a0ROOTFS<\/em> bit is set)\u00a0(little-endian 32-bit)<\/p>\n
004c-004f :<\/strong> Size of jffs2 root filesystem\u00a0image (if “bintype”\u00a0ROOTFS<\/em> bit is set)\u00a0(little-endian 32-bit)<\/p>\n
0050-005f :<\/strong> MD5 hash of\u00a0jffs2 root filesystem image (if “bintype”\u00a0ROOTFS<\/em> bit is set)<\/p>\n
WIFI info:<\/em><\/p>\n
0060-0063 :<\/strong> Offset into .bin file to start of\u00a0WiFi firmware\u00a0image (if “bintype”\u00a0WIFI<\/em> bit is set)\u00a0(little-endian 32-bit)<\/p>\n
0064-0067 :<\/strong> Size of\u00a0WiFi firmware image (if “bintype”\u00a0WIFI<\/em> bit is set)\u00a0(little-endian 32-bit)<\/p>\n
0068-0077 :<\/strong> MD5 hash of\u00a0WiFi firmware image (if “bintype”\u00a0WIFI<\/em> bit is set)<\/p>\n
UNDEF info:<\/em><\/p>\n
0078-008f :<\/strong> Appears to be room for fourth ‘sub-file’ info<\/p>\n
0090-???? :<\/strong> If “bintype” WIFI bit is set, then the ASCII (NULL terminated)\u00a0version string\u00a0for the WiFi image is stored here (max length unknown).<\/p>\n
????-00c3 :<\/strong> Unknown (currently NULL bytes)<\/p>\n
Looking at the specific file header show in the hex-dump above, you can see that the “svn” version number is 0x000006fa (“1786” decimal).<\/p>\n
The “.bin” file contains a kernel image, a jffs2 root filesystem image, and a WiFi firmware image (because “bintype” is “07”, so all three file type bits are set).<\/p>\n
The KERNEL image starts at offset 0x00000400\u00a0into the “.bin” file, and is 0x1196ec bytes long.<\/p>\n
The ROOTFS image starts at offset 0x119aec\u00a0into the “.bin” file, and is 0x00520000 bytes long.<\/p>\n
The WIFI image starts at offset 0x00639aec into the “.bin” file, and is 0x00167372 bytes long.<\/p>\n
\u00a0<\/p>\n
Sub-file image format<\/h3>\n
The KERNEL image is a standard compressed kernel image (with a ‘header applet’ which decompresses the kernel payload\u00a0and jumps to it). It is for an ARM architecture CPU.<\/p>\n
The ROOTFS image is a JFFS2 filesystem image. This was likely created either directly using “mkfs.jffs2”, or by dumping the contents of the flash chip\u00a0partition after the JFFS2 image was created there.<\/p>\n
The WIFI image is a standard compressed kernel image with an embedded init ramdisk<\/em> (“initrd”). This kernel is for a MIPS architecture CPU.<\/p>\n
Manipulating firmware update image<\/h3>\n
I plan on releasing some utilities for unpacking\/repacking the contents of a firmware update image.\u00a0 Once finished, a link will be provided here.<\/p>\n
EDIT<\/strong><\/em>: The firmware manipulation utility has been released. See this article : “Release of \u2018fwtool\u2019 \u2013 firmware image manipulation tool<\/a>“.<\/p>\n
Disclaimer: information on this site is for educational purposes only, and intended to help iSpot owners experiment with their own devices. I do not condone any hacking for illegal purposes, such as stealing service, etc.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve analyzed the structure of the “.bin” files used for firmware updates on the iSpot, and will document\/update my findings below. Here is a hex-dump of the beginning of a firmware update “.bin” file (this is from “iSpot_Software_080510.bin”): 00000000 49 … Continue reading