Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tutorial] How to unpack and repack UBFI firmware images
BTC Offline
Haxorware Enthusiast
***

Posts: 64
Threads: 6
Joined: Aug 2018
Reputation: 7
#1
[Tutorial] How to unpack and repack UBFI firmware images
UBFI images are the firmware images that Puma5 and some Puma6 modems use.

Before we can unpack these, first let's learn exactly what goes into these images.

A standard UBFI image is actually two files concatenated together:
  • A uImage boot script file
  • A uImage multi-image file containing the following:
    • zImage Linux kernel
    • Squashfs root filesystem
So, unpacking these files should be relatively straightforward: We need to extract the boot script, zImage, and Squashfs.

If we check out the file format in Binwalk, we see basically that:
[Image: y0fKTpV.png]


Unpacking images

To unpack UBFI images, we're going to use a hex editor and copy the data out by hand.
Start by opening your UBFI image in a hex editor.

Boot Script
To extract the boot script, identify the first character in your boot script. It should be visible very early.

[Image: IcYJGLq.png]

So, 4 bytes before the first character in our boot script is the length of the boot script, it is 2300.

Now, use your hex editor's block select feature to select the block starting at our first character, with a length of 2300.

[Image: YFRzdnv.png]

Copy and paste into a new file, and check it out to make sure it looks right!
[Image: P2xTBAT.png]


At the end of our boot script, we see some null bytes:
[Image: uzxjYG4.png]

These can safely be deleted. It is an artifact from padding, and normally these are ignored.

zImage Kernel and Squashfs
To find the kernel, we're actually going to use binwalk. It will save us time.

[Image: TqnOXRO.png]

We easily locate the starting positions of the zImage and the Squashfs:
2394 and FD800.

Now navigate to 2394 with Goto, then go 4 bytes before...what do we see?
[Image: xgqaO16.png]

So, 4 bytes before the zImage (just like for the boot script), we find the lengths of the files in the image.
Since this is a multi-image file, and there is two files, there's two lengths. Each length is separated with 1 byte.

First come first serve, the zImage is our first length and the Squashfs is our second length.
So, our zImage length is FB46C and our Squashfs length is 400C00.

So, block select from 2394 with a length of FB46C.
You should be able to see the beginning of the Squashfs immediately after your selection.
[Image: oXw0eHF.png]

Copy+paste, save and you've got the zImage!


The exact same process is used to extract the Squashfs: block select from FD800 with a length of 400C00.

Unpacking Squashfs
To make changes to the root filesystem, you will have to unpack the Squashfs. This is extremely simple!

Code:
unsquashfs -d squashfs-root squashfsfilename

You can install unsquashfs by installing squashfs-tools on Debian/Ubuntu, refer to Google for other distros.


Repacking images


The first thing we have to do is repack the Squashfs back into a Squashfs filesystem. To do this, it's just as simple as unpacking it:
Code:
mksquashfs squashfs-root squashfsfilename -noappend -comp xz

This will repack (and overwrite) our squashfs from all the files in squashfs-root - which is where we extracted it originally.

You may need to tinker with block size and compression algorithms - not all modems support all compression algorithms.

Once this is done, we just need to create new uImages and concatenate them.
But, before we can make new uImages, we're going to need another package: uboot-tools.

Once you have everything ready, run these commands with the appropriate file names:
Code:
mkimage -A powerpc -O linux -T script -a 0 -e 0 -C none -n "Boot Script File" -d bootscriptfilename BootScriptuImage
mkimage -A arm -O linux -T multi -a 0xA00000 -e 0xA00000 -C none -n "Multi Image File" -d zImagefilename:Squashfsfilename KernelFileSystemuImage
cat BootScriptuImage KernelFileSystemuImage > UBFI
This will compile bootscriptfilename, zImagefilename, and Squashfsfilename into a working UBFI image.

You should note that the data address and entrypoint may differ on some modems, you can find the correct values  from Binwalk:

[Image: XHDyEvU.png]

However, most modems use the same values.

Enjoy!
(This post was last modified: 30-08-2019, 09:22 AM by BTC.)
30-08-2019, 08:31 AM
Find Reply
doctor Offline
Senior Member
****

Posts: 198
Threads: 11
Joined: Mar 2017
Reputation: 11
#2
RE: [Tutorial] How to unpack and repack UBFI firmware images
Great tutorial once again , well illustrated and simple to follow . Can’t wait for the next one Smile

30-08-2019, 08:34 PM
Find Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)