Building

An unpacker for Alcatel TiMOS images

Hi,

I wrote a small python script that extracts the content from Alcatel .tim firmware files. It took some time staring at hex values, as well as a fair amount of guess work to figure out the file format.

All .tim files start with a common header, containing the TiMOS version string, the build string, the used compression algorithm and the number of segments included in the file. The common header is followed by a header for each segment in the file. The segment header contains values like the name of the segment, the beginning of the segment in the image file, the size of the segment, compressed as well as extracted, a checksum of the decompressed data and also the base address and entry point of the data in the routers memory. A segment header can look like this:

============= text ==============
| base_addr         | 0x2800000 |
| length_compressed | 0x329F320 |
| entry_point       | 0x2800000 |
| crc_extracted     | 0xF6F87A4 |
| length_extracted  | 0x86D6FA0 |
| file_offset       | 0x400     |
=================================

There also is one special segment, called ‘images_v1’, which contains images for the FPGAs in your router. Embedded in this segment are the number of images and the image compression algorithm followed by a header for each image. The image header contain informations about the image itself, like the filename of the image, the length of the image in the file, the length of the extracted image, the target of the image and sometimes a not yet identified CRC. An image header can look like this:

	========== cca_mda_data ==========
	| crc_unknown   | 0x3AF27AF3     |
	| len_extracted | 0x7CD1E        |
	| filename      | cca_mda.bit.gz |
	| target        | FPGAv1c2       |
	| len_section   | 0x13BD0        |
	| len_data      | 0x13AA1        |
	==================================

The program itself takes a number of command line flags and a filename to extract:

$TiMOS_unpack.py -h
Usage: TiMOS_unpack.py [options] inputfile

Options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -v          Be verbose
  -f          Force file overwrite

I’ve figured out that there are no signatures embedded in the file, so the only verification that can be done is based on the length and CRC values. So if I wanted to build a ‘bad’ TiMOS image [whatever that might be, it could make your router back doored, or maybe let it fly (-;], I just need to extract the image, tamper with the binaries and repack them with updated length and CRC values.

You can download the script here.

Have a nice day

/daniel

Comments

Comments are closed.