In Windows XP, Click Start Button - All Programs - Accessories -
Communication - HyperTerminal
Enter a name for the connection, Click ok
Choose com port you adapter is plugged into, Click ok
Bits per second = 115200
Data Bits = 8
Parity = none
Stop bits = 1
Flow control = none
Click File - Save As, and select a place to save it to so you
don't have to enter the settings again.
After installing putty, run it
Serial line = The COM port your using for serial (ie. COM3)
Speed = 115200
Click on Serial under Connection
Serial line to connect to = same as above (Serial line)
Speed (baud) = 115200
Data bits = 8
Stop bits = 1
Parity = None
Flow control = None
Enter a name for your connection under saved sessions
0x0000 > Section 1 [128 bytes]
* [49 AF 08 12 30 2C 02 14] "Magic" header, 8 bytes. Found in all firmware images for TZ170
and one image for TZ-150.
0x0080 > Section 2 [640 bytes]
0x0300 > Section 3 [128 bytes]
* 0x0300 - Always "SonicOS Standard" from what I can tell
* 0x0320 - Firmware revision number, displayed verbatim in web interface
* 0x0340 - Compiling machine name (?)
* 0x0380 - Compiling user name (pseudo-confirmed)
0x03c0 > Section 4 [data] [ to EOF ]
I could almost write an entirely different post for all the time that I spent decoding this. Having very little prior experience with filesystems, it was definitely a learning adventure to say the least. I haven't been able to figure out how the device decides where this filesystem begins and where it ends, but I am 100% certain that I've decoded the FAT table for whatever filesystem this is. It's worth noting that when you do, however, find the beginning of the FAT table, from that address to the end of the firmware image is the entirety of the filesystem (checked and confirmed by myself on multiple firmware versions).
A FAT entry for this system looks as follows:
00 00 3E C6 00 00 25 68 00 00 86 7A 0D 65 76 65 6E 74 6C 69 73 74 2E 74 78 74 00
. . > Æ . . % h . . † z . e v e n t l i s t . t x t .
0x0000 - 0x0003 <> Location of file, offset from head of filesystem
0x0004 - 0x0007 <> Size of file in filesystem
0x0008 - 0x000B <> Size of file extracted and uncompressed/decrypted
0x000C <> Length of filename text
0x000D - to length <> filename + null character
The head of the filesystem is calculated by finding the first entry in the FAT, and subtracting 4 bytes. The 4 bytes before the first entry indicate how many files are stored in the system. For instance, for firmware version 188.8.131.52, there are 511 files contained in the image (encrypted of course). If you do a hex search for 0x01ffh you will find two entries. The first is in the header, the second is about halfway to the end of the file. The second one is what we're looking at. From there, we know that immediately following this WORD value is the first entry in the FAT for "eventlist.txt". The end of the filesystem can be calculated using the first FAT entry. For the "footer" of this filesystem, there are 8 bytes (two WORD values), right before the offset indicated by the first FAT entry. I have as of right now been unable to figure out what these values are in relation to everything else. They're not a static signature as they vary slightly between firmware versions. However, from what I can tell the first 3 bytes are always [08h 78h 9Ch] (unconfirmed). Hope I haven't forgotten anything!
As of right now I can not get the TZ-170 to take any modified firmware image. This consisted of editing the "username" field in the header, to which the SonicWall cried out as it was not a "signed" firmware image.
I have just ordered an RS-232 TTL converter, and as soon as that gets here I will be poking around on the board looking for a secondary UART port. There are some nice pin groupings on the PCB that I can't wait to probe!
Figuring that I won't have any luck with the TTL converter, I will be trying to find the JTAG pinout of the processor, and hopefully I can dump something interesting/useful. Maybe I'll be able to sign those images! I'll be doing this with an Arduino, because I feel this affords me more flexibility when probing for pins. Plus, you know, Arduino!
This took me an hour and a half to organize and write, but probably just a few minutes for you to read! :]
My eventual goal is to port OpenWRT/DD-WRT to this appliance, and hopefully this whole series of appliances! But as of right now I have hit a dead end. So if you have any ideas, experience, or hardware you'd like to contribute to this cause, please feel free to post/message me! Particularly, if you can shed any light onto how these images are encrypted/signed, I would be forever grateful. Also, you're wondering how you're supposed to obtain the firmware images listed above. There is a reason I have included the filename + the MD5 checksum. I'm not entirely sure, however, if Googling these files will return any results. If you would like me to send these images to you for reversing purposes, just message me. I have a nice little 7z archive will all three versions mentioned above sitting on my desktop. Lastly, thank you for taking the time to read this!