This is the first post in my quest to get my Kyocera KR2 running some more modern firmware. For those of you who don’t know, The CradlePoint MBR1000 3G/4G wireless router is essentially a rebranded Kyocera KR2 with different firmware and no PCMCIA slot. Internally, the hardware is exactly the same (except for the PCMCIA card slot). The MBR1000′s firmware is more up-to-date than the KR2 firmware with support for more 3G and 4G cellular cards, so I wanted to see if I could upgrade the firmware. If I do eventually get this to work, I’ll probably lose the PCMCIA card slot functionality, but it will be worth it.
Here’s what I have so far:
The MBR1000 has two firmware files, both with the .bin extension. The second firmware file contains the modem drivers and is not relevant. The first firmware file, however, is much more interesting. Here’s the output after I ran binwalk on theĀ u_mbr_2012_04_16.bin file:
DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 0 0x0 Ubicom firmware header, checksum: 0x1C2EDFD2, image size: 1703936
It turns out that you can actually extract files from this archive (it’s called an ARJ; I’ve never heard of that kind of archive before). So, using “The Archive Browser” on my Mac (it’s a very good utility, by the way), I extracted a file called nightlies/mbrcore_2_0_0_Release_2012_04_16/build/bin/img.bin from it. This is what it’s called when I extract it using The Archive Browser. When I use 7-Zip to extract it, instead of getting that directory structure in the file name, the directory structure is actually visible inside 7-Zip and you can browse through it. There aren’t any additional files, though, so either way you get an image file out of it. Here’s the binwalk output for that file:
DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 97386 0x17C6A JFFS2 filesystem (old) data big endian, JFFS node length: 53663 1552871 0x17B1E7 LZMA compressed data, properties: 0x84, dictionary size: 1393557504 bytes, uncompressed size: 606931776 bytes 1555019 0x17BA4B LZMA compressed data, properties: 0xB8, dictionary size: 756023296 bytes, uncompressed size: 417925696 bytes 1557687 0x17C4B7 LZMA compressed data, properties: 0xE0, dictionary size: 403701760 bytes, uncompressed size: 680856384 bytes 1558159 0x17C68F LZMA compressed data, properties: 0x84, dictionary size: 655360000 bytes, uncompressed size: 748555072 bytes 1990922 0x1E610A PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 2019004 0x1ECEBC TIFF image data, big-endian 2038803 0x1F1C13 GIF image data 8289 x 256 2044879 0x1F33CF GIF image data, version 89a, 740 x 30
Wow! I wish I had this program a few years ago… Anyways, this is all very interesting stuff. The PNG (if you haven’t already guessed from the size) is the favicon for the web interface; I have no idea what the TIFF is; after a little poking around, I found that the “8289 x 256″ GIF is simply a spinning “loading” disk from here; and that last GIF is just some sort of simple footer image. All in all, nothing too special here. On to the Kyocera firmware!
The KR2 only uses one firmware image, the latest is called ZE1004.bin. Here’s the binwalk output for it:
DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 0 0x0 Ubicom firmware header, checksum: 0x6953B032, image size: 1507328 978291 0xEED73 TIFF image data, big-endian 1362951 0x14CC07 GIF image data, version 89a, 4128 x 256 1369624 0x14E618 GIF image data, version 89a, 16 x 16 1382219 0x15174B TIFF image data, big-endian
Unfortunately, I wasn’t able to extract anything from ZE1004.bin. Oh, well.
Noting that ZE1004.bin and u_mbr_2012_04_16.bin both had Ubicom firmware headers, I decided to compare them using “Hex Fiend.” From that hex comparison, I found that that the two files are remarkably similar. First of all, they are cllose to each other in filesize (1.7 and 1.5 MB). Second, for the first 1.5 kB, there are only 37 differences with many of them being simple byte replacements. After that, the files become very different for a little over a megabyte. After that difference, though, there’s a bunch of “FF” bytes and these continue until the end of the file where there is a 4 byte value that varies by one byte between the two files and is certainly not a checksum. In the MBR1000 file, you could remove around 200 kB worth of “FF” after the main code block and make it the same size as the KR2 file. After looking through the two files, it seems as though the KR2 file has much more code than the MBR1000 file, but this can be explained by the fact that the KR2 firmware has its modem drivers built-in.
At this point, I believe that if I can change the MBR1000 firmware to look like the KR2 firmware a little, I’ll be able to trick my Kyocera KR2 into upgrading from the MBR1000 firmware file.
Things are beginning to look good!
Please let me know if you figure it out. That is totally awesome!