Upgrading the Kyocera KR2 With the CradlePoint MBR1000 Firmware

This is the first post in my quest to get my Kyocera KR2 running some more modern firmware. For those of you who don’t know, The CradlePoint MBR1000 3G/4G wireless router is essentially a rebranded Kyocera KR2 with different firmware and no PCMCIA slot. Internally, the hardware is exactly the same (except for the PCMCIA card slot). The MBR1000′s firmware is more up-to-date than the KR2 firmware with support for more 3G and 4G cellular cards, so I wanted to see if I could upgrade the firmware. If I do eventually get this to work, I’ll probably lose the PCMCIA card slot functionality, but it will be worth it.

Here’s what I have so far:

The MBR1000 has two firmware files, both with the .bin extension. The second firmware file contains the modem drivers and is not relevant. The first firmware file, however, is much more interesting. Here’s the output after I ran binwalk on the u_mbr_2012_04_16.bin file:

0         	0x0       	Ubicom firmware header, checksum: 0x1C2EDFD2, image size: 1703936

It turns out that you can actually extract files from this archive (it’s called an ARJ; I’ve never heard of that kind of archive before). So, using “The Archive Browser” on my Mac (it’s a very good utility, by the way), I extracted a file called nightlies/mbrcore_2_0_0_Release_2012_04_16/build/bin/img.bin from it. This is what it’s called when I extract it using The Archive Browser. When I use 7-Zip to extract it, instead of getting that directory structure in the file name, the directory structure is actually visible inside 7-Zip and you can browse through it. There aren’t any additional files, though, so either way you get an image file out of it. Here’s the binwalk output for that file:

97386     	0x17C6A   	JFFS2 filesystem (old) data big endian, JFFS node length: 53663
1552871   	0x17B1E7  	LZMA compressed data, properties: 0x84, dictionary size: 1393557504 bytes, uncompressed size: 606931776 bytes
1555019   	0x17BA4B  	LZMA compressed data, properties: 0xB8, dictionary size: 756023296 bytes, uncompressed size: 417925696 bytes
1557687   	0x17C4B7  	LZMA compressed data, properties: 0xE0, dictionary size: 403701760 bytes, uncompressed size: 680856384 bytes
1558159   	0x17C68F  	LZMA compressed data, properties: 0x84, dictionary size: 655360000 bytes, uncompressed size: 748555072 bytes
1990922   	0x1E610A  	PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced
2019004   	0x1ECEBC  	TIFF image data, big-endian
2038803   	0x1F1C13  	GIF image data 8289 x 256
2044879   	0x1F33CF  	GIF image data, version 89a, 740 x 30

Wow! I wish I had this program a few years ago… Anyways, this is all very interesting stuff. The PNG (if you haven’t already guessed from the size) is the favicon for the web interface; I have no idea what the TIFF is; after a little poking around, I found that the “8289 x 256″ GIF is simply a spinning “loading” disk from here; and that last GIF is just some sort of simple footer image. All in all, nothing too special here. On to the Kyocera firmware!

The KR2 only uses one firmware image, the latest is called ZE1004.bin. Here’s the binwalk output for it:

0         	0x0       	Ubicom firmware header, checksum: 0x6953B032, image size: 1507328
978291    	0xEED73   	TIFF image data, big-endian
1362951   	0x14CC07  	GIF image data, version 89a, 4128 x 256
1369624   	0x14E618  	GIF image data, version 89a, 16 x 16
1382219   	0x15174B  	TIFF image data, big-endian

Unfortunately, I wasn’t able to extract anything from ZE1004.bin. Oh, well.

Noting that ZE1004.bin and u_mbr_2012_04_16.bin both had Ubicom firmware headers, I decided to compare them using “Hex Fiend.” From that hex comparison, I found that that the two files are remarkably similar. First of all, they are cllose to each other in filesize (1.7 and 1.5 MB). Second, for the first 1.5 kB, there are only 37 differences with many of them being simple byte replacements. After that, the files become very different for a little over a megabyte. After that difference, though, there’s a bunch of “FF” bytes and these continue until the end of the file where there is a 4 byte value that varies by one byte between the two files and is certainly not a checksum. In the MBR1000 file, you could remove around 200 kB worth of “FF” after the main code block and make it the same size as the KR2 file. After looking through the two files, it seems as though the KR2 file has much more code than the MBR1000 file, but this can be explained by the fact that the KR2 firmware has its modem drivers built-in.

At this point, I believe that if I can change the MBR1000 firmware to look like the KR2 firmware a little, I’ll be able to trick my Kyocera KR2 into upgrading from the MBR1000 firmware file.

Things are beginning to look good!

This entry was posted in Hacking/Modding and tagged , , . Bookmark the permalink.
  • david

    Please let me know if you figure it out. That is totally awesome!