Reverse Engineering VxWorks (which Replaces Linux On Newer Routers)

The Linksys router seen about is a WRT54G version 1. It famously runs Linux and was the source of much hacking back in the heyday, leading to popular alternative firmware packages such as DD-WRT and Tomato. But the company went away from a Linux-based firmware starting with version 8 of the hardware. Now they are using a proprietary Real Time Operating System called VxWorks.

[Craig] recently put together a reverse engineering guide for WRT54Gv8 and newer routers. His approach is purely firmware based since he doesn’t actually own a router that runs VxWorks. A bit of poking around in the hex dump lets him identify different parts of the files, leading to an ELF header that really starts to unlock the secrets within. From there he carries out a rather lengthy process of accurately disassembling the code into something that makes sense. The tool of choice used for this is IDA Pro diassembler and debugger. We weren’t previously familiar with it, but having seen what it can do we’re quite impressed.

[Image via Wikimedia Commons]

25 thoughts on “Reverse Engineering VxWorks (which Replaces Linux On Newer Routers)

  1. @blub Great idea if your laptop and gear are from the stone age. I use N wireless for high speeds and 1000bt for my network. the 10 year old GL version is so out of date it cant do any of that.

    The GL version is great for the poor and the luddites, but for any real speeds at home or the office you need newer hardware, and nothing is available.

  2. I wish there was a “day pass” license for IDA Pro. I would pay $30 for this privilege, but I can’t really justify $500+ for a tool I might use once or twice a year for personal projects.

  3. Color me ignorant, but Linux in its own right isn’t hard real time, so a router would have to have a RT-kernel underneath to do the timing sensitive bits anyways, or throw enough hardware at it that the Linux kernel would be able to always keep up.

    So, isn’t it actually counter-productive to run Linux on top because it just takes more processing power for what 99.99% of the users don’t really care for anyways?

    1. “Color me ignorant”.

      Not today, maybe tomorrow. Consider that I don’t have to tell you about your heart beat. I may say something to tell you how horrible a person you are however that would be a reflection of something similar to a DDOS attack. Overclocking to pick up the workload on how to respond with a snazy comeback, try to punch me in the face or run away.

      Consider that we talk a common language be it Sanskrit, Ancient Sumerian or Latin. We agree on a set meaning of high level words to communicate ideas.

      I imagine breathing in Morse code would be tiresome. In this instance using Linux to call ASM instructions is preferable. Sending Morse of your WPA-2 implementation would force you to realize you are breathing manually.

  4. Is there any good FOSS wifi router sofware that runs on x86 Linux?
    A good number of people have personal NAS or even a firewall like smoothwall. Seems to me that instead of using a router like this you could just add a wifi card to your server or firewall and have one less device to worry about. You might even save a little power if you are running the server or firewall anyway.

  5. never use a decompiler to document code..especially the ones in IDA..

    it’s more productive to trace and comment code, xrefs also help.

    x86 bios reversing is done the same deflate->?decrypt->trace&document. ARM is actually easier than x86 when it comes to bios/real-mode.

  6. Remember the Hacker Ethic. It’s doesn’t always need to be better to be a proof of concept. It’s just a different way of doing things. Sometimes it works better, sometimes not. The important thing is.. There IS a different way to do things.

    Take the Narrow road. It may not be as fast, but the views are better and at the end is a much nicer place.

  7. lwatcdr: there is astaro which is good but needs 1gb of ram to run smooth, it has stuff like bgp and thrunking built in so its is likely to be overpowered. On the other hand a debian box with shorewall runs smoothly with 256m or less. it it harder but more fun! :D

  8. @fartface Check the list of supported hardware on the OpenWRT site. e.g. Buffalo WZR GN300HP has 4+1GbE ports, N, USB, 32MB flash, 64MB RAM, etc.

    NetGear also has a nice router with OpenWRT support.

  9. I have a v 1 running DDRT.

    With some good aftermarket antennas and a hacked heatsink/fan I have the power cranked to 80%.

    Now if I could only figure out a way to boost the power from my network card(my soup can helps but doesn’t increase my transmitting power)

    Being at the “End of the line” for DSL in my area the only way some of my neighbors can get online is through my connection which I leave open for their use.

    Any one know of a good hackable wireless cards, or at least one with a good pwr output?

  10. You know that VxWorks is the O/S that runs the Mitel SX200, SX2000 and 3300 PABXs?

    A handy command from the rudimentary shell is lkup, e.g.

    lkup “fred”

    will lookup any command or symbolic link that contains ‘fred’

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.