Skip to content

frizzoot/BRCM-Unpack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.MD
README.MD
 
 
unpack.sh
unpack.sh
 
 

Repository files navigation

Broadcom Firmware Image Unpacker

Introduction

This bash script is used to assist with the unpacking of a Broadcom firmware update package.

Tested on Ubuntu 24.04 with firmware for a NOKIA BGW320-505 Residential Gateway.

This script should work with all firmware versions as of writing.

*Fixed issue with old version pattern Oct 18 24.

The SquashFS is encrypted on current versions.

This script does not attempt to decrypt any information.

Root permissions are NOT necessary to run this script.

Features

Attempts to identify, extract, decompress & analyze the following:

- Device Tree Blob / File Device Tree
- Embedded Images & Nodes
- Image Package Version, Description & Identity Information
- Kernel Information & Build Configuration
- Image Security Policy
- Embedded Salts & Keys
- Root Filesystem Image
- Device Mapper Configuration

Example Usage

Example Image Name: "spTurquoise320-505_6.28.7_sec.bin"

Install Dependencies:

sudo apt-get ugrep device-tree-compiler coreutils u-boot-tools gzip xz-utils

Check Permissions:

sudo chown user:user spTurquoise320-505_6.28.7_sec.bin

Run Script:

./unpack.sh spTurquoise320-505_6.28.7_sec.bin

Example Terminal Output

Image Processing Started on Sat Oct  5 12:49:36 PM EDT 2024 

Log: /home/user/unpack/output.log
Source: /home/user/unpack/spTurquoise320-505_6.28.7_sec.bin
Size: 89331668

Checking Package Version

Checking for FDT Pattern

FDT Offset: 3336
Saved: /home/user/unpack/spTurquoise320-505_6.28.7_sec.dtb
Saved: /home/user/unpack/spTurquoise320-505_6.28.7_sec.dts

Description: Broadcom BCA image upgrade package tree binary
Nodes: images configurations 
Configuration: flash=emmc chip=6858 rev=b0+ ip=ipv6,ipv4 ddr=ddr3 fstype=squashfs profile=BGW320-505
Images: bootfs_6858_b0+ emmc_squashfs 

Extracting: bootfs_6858_b0+
  Description:  bootfs
  Created:      Thu Jul 11 21:47:49 2024
  Type:         Multi-File Image
  Compression:  uncompressed
Saved: /home/user/unpack/bootfs_6858_b0+

Image Description: Simple image with ATF and optional OP-TEE support
Nodes: trust brcm_rootfs_encrypt security images configurations 
Identity:
 imageversion: 5044p2BGW320-5051940145 
 imgversion: 5.04L.04p2 
 image_version: 6.28.7 
 image_ident: 006.028.007 
 swverforuboot: 006.028.007 
Trust: anti-rollback hw_state encoded_keys sec_exports 

Extracting Trust Node Salts and Keys

Salts:

item_name = key_dev_specific_256
algo = sha256
salt = EXAMPLE
length = 2

item_name = key_dev_specific_512
algo = sha256
salt = EXAMPLE
length = 4

item_name = key_rpmb_auth
algo = sha256
salt = EXAMPLE
length = 2

Encoded Keys:

Description: OPTEE Key
Algo: aes-cbc-128
Name: optee_aes
Data: EXAMPLE

Description: Image decryption Key
Algo: aes-cbc-128
Name: image_aes
Data: EXAMPLE

Description: Bootloader CLI Key seed
Algo: aes-cbc-128
Name: cli_seed

Description: rpmb authentication key for provisioning image
Algo: aes-cbc-128
Name: rpmb_auth

Description: mascert key
Algo: aes-cbc-128
Name: mascert_key
Data: EXAMPLE

Checking RootFS Encryption Node

Mapper: EXAMPLE

Dev: EXAMPLE

Type: squashfs

Checking Security Node

Extracting Embedded DTB Security Data

Security Policy:

security_policy 
delegate_id = 1
min_tpl_compatibility = 2

keyaes 
description = Encrypted AES key  Mandatory Node
data = EXAMPLE
algo = aescbc128

Anti Rollback Options:

antirollback 
status = enabled
description = Antirollback update  Optional Node
new_antirollback = 5
antirollback_limit = f

Saved: /home/user/unpack/secblob.dts

Security Node Signature:

EXAMPLE

Checking Image Node

Images: atf optee uboot fdt_uboot kernel fdt_BGW320_500 fdt_BGW320_505 

Extracting: atf
  Description:  ATF
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Firmware
  Compression:  uncompressed
Saved: /home/user/unpack/atf

Extracting: optee
  Description:  OPTEE
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Unknown Image
  Compression:  uncompressed
Saved: /home/user/unpack/optee

Extracting: uboot
  Description:  U-Boot
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Unknown Image
  Compression:  uncompressed
Saved: /home/user/unpack/uboot

Extracting: fdt_uboot
  Description:  dtb
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Flat Device Tree
  Compression:  uncompressed
Saved: /home/user/unpack/fdt_uboot

Extracting: kernel
  Description:  Linux kernel
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Kernel Image
  Compression:  lzma compressed
Saved: /home/user/unpack/kernel

Extracting: fdt_BGW320_500
  Description:  dtb
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Flat Device Tree
  Compression:  uncompressed
Saved: /home/user/unpack/fdt_BGW320_500

Extracting: fdt_BGW320_505
  Description:  dtb
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Flat Device Tree
  Compression:  uncompressed
Saved: /home/user/unpack/fdt_BGW320_505


Extracting: emmc_squashfs
  Description:  rootfs
  Created:      Thu Jul 11 21:47:49 2024
  Type:         Filesystem Image
  Compression:  uncompressed
Saved: /home/user/unpack/emmc_squashfs

Finished Image Processing: Sat Oct  5 12:49:38 PM EDT 2024

Started Kernel Processing: Sat Oct  5 12:49:38 PM EDT 2024

Kernel Image Information:
 Image 4 (kernel)
  Description:  Linux kernel
  Created:      Thu Jul 11 21:47:05 2024
  Type:         Kernel Image
  Compression:  lzma compressed
  Data Size:    3281971 Bytes = 3205.05 KiB = 3.13 MiB
  Architecture: AArch64
  OS:           Linux
  Load Address: 0x01000000
  Entry Point:  0x01000000
  Hash algo:    sha256
  Hash value:   EXAMPLE

Decompressing Kernel

File Information: Linux kernel ARM64 boot executable Image, little-endian, 4K pages
Size: 9496584
Saved: /home/user/unpack/kernel.bin

Checking for Kernel Configuration

Offset: 7004216-7028790
Saved: /home/user/unpack/kconfig.gz

Decompressing Kernel Configuration

Configuration Information:
Linux/arm64 4.19.275 Kernel Configuration
Compiler: EXAMPLE
Saved: /home/user/unpack/kconfig.conf

All Processing Completed on Sat Oct  5 12:49:38 PM EDT 2024

Example File Output List

-rw------- 1 user user  49K Oct  5 12:49 atf
-rw------- 1 user user 7.7M Oct  5 12:49 bootfs_6858_b0+
-rw-rw-r-- 1 user user  11K Oct  5 12:49 bootfs_6858_b0+.dts
-rw------- 1 user user  78M Oct  5 12:49 emmc_squashfs
-rw------- 1 user user  69K Oct  5 12:49 fdt_BGW320_500
-rw------- 1 user user  67K Oct  5 12:49 fdt_BGW320_505
-rw------- 1 user user 6.9K Oct  5 12:49 fdt_uboot
-rw-rw-r-- 1 user user 105K Oct  5 12:49 kconfig.conf
-rw-rw-r-- 1 user user  24K Oct  5 12:49 kconfig.gz
-rw-rw-r-- 1 user user 9.1M Oct  5 12:49 kernel.bin
-rw------- 1 user user 3.2M Oct  5 12:49 kernel.lzma
-rw------- 1 user user 732K Oct  5 12:49 optee
-rw-rw-r-- 1 user user 7.8K Oct  5 12:49 output.log
-rw-rw-r-- 1 user user 1.1K Oct  5 12:49 secblob.dtb
-rw-rw-r-- 1 user user 1.1K Oct  5 12:49 secblob.dts
-rw-rw-r-- 1 user user  86M Oct  5 12:30 spTurquoise320-505_6.28.7_sec.bin
-rw-rw-r-- 1 user user  86M Oct  5 12:49 spTurquoise320-505_6.28.7_sec.dtb
-rw-rw-r-- 1 user user 1.1K Oct  5 12:49 spTurquoise320-505_6.28.7_sec.dts
-rw-rw-r-- 1 user user  18K Oct  5 12:49 unpack.sh
-rw------- 1 user user 3.7M Oct  5 12:49 uboot

About

BRCM Firmware Image Unpacker

Topics

bash embedded firmware reverse-engineering brcm

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

1 fork
Report repository

Languages