EMBA firmware report

-----------------------------------------------------------------

[*] Initial strace run with jchroot on the command ./sbin/mtd to identify missing areas

[*] Emulating binary name: mtd in strace mode to identify missing areas (with jchroot)

[*] Emulator used: qemu-mipsel-static

[*] Chroot environment used: jchroot

[*] Using root directory: /logs/s115_usermode_emulator/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract (1/1)

[*] Using CPU config:

1 brk(NULL) = 0x00416130

1 mmap2(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x3ffc8000

1 uname(0x4071e750) = 0

1 access("/etc/ld.so.preload",R_OK) = -1 errno=2 (No such file or directory)

1 openat(AT_FDCWD,"/etc/ld.so.cache",O_RDONLY|O_CLOEXEC) = -1 errno=2 (No such file or directory)

1 openat(AT_FDCWD,"/lib/tls/libubox.so",O_RDONLY|O_CLOEXEC) = 3

1 read(3,0x4071e4d4,512) = 512

1 prctl(46,8,1081205972,512,1073770496,0) = 0

1 fstat64(3,0x4071e398) = 0

1 mmap2(NULL,99696,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x3ffaf000

1 mprotect(0x3ffb7000,61440,PROT_NONE) = 0

1 mmap2(0x3ffc6000,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0x7) = 0x3ffc6000

1 close(3) = 0

1 openat(AT_FDCWD,"/lib/tls/libgcc_s.so.1",O_RDONLY|O_CLOEXEC) = 3

1 read(3,0x4071e4bc,512) = 512

1 prctl(46,9,1081205948,512,1073770496,0) = 0

1 fstat64(3,0x4071e380) = 0

1 mmap2(NULL,144160,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x3ff8b000

1 mprotect(0x3ff9e000,61440,PROT_NONE) = 0

1 mmap2(0x3ffad000,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0x12) = 0x3ffad000

1 mprotect(0x4071e000,4096,PROT_EXEC|PROT_READ|PROT_WRITE|PROT_GROWSDOWN) = 0

1 close(3) = 0

1 openat(AT_FDCWD,"/lib/tls/libc.so.6",O_RDONLY|O_CLOEXEC) = 3

1 read(3,0x4071e4a4,512) = 512

1 prctl(46,13,1081205924,512,1073770496,0) = 0

1 _llseek(3,0,792,0x4071e260,SEEK_SET) = 0

1 read(3,0x4071e290,32) = 32

1 fstat64(3,0x4071e368) = 0

1 mmap2(NULL,1630336,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE,3,0) = 0x3fdfc000

1 mprotect(0x3ff72000,61440,PROT_NONE) = 0

1 mmap2(0x3ff81000,28672,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0x175) = 0x3ff81000

1 mmap2(0x3ff88000,8320,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,-1,0) = 0x3ff88000

1 close(3) = 0

1 mmap2(NULL,8192,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x3fdfa000

1 set_thread_area(0x3fe014a0) = 0

1 mprotect(0x3ff81000,16384,PROT_READ) = 0

1 mprotect(0x3ffad000,4096,PROT_READ) = 0

1 mprotect(0x3ffc6000,4096,PROT_READ) = 0

1 mprotect(0x00415000,4096,PROT_READ) = 0

1 mprotect(0x3fffe000,4096,PROT_READ) = 0

1 write(2,0x403884,572)Usage: mtd [<options> ...] <command> [<arguments> ...] <device>[:<device>...]

The device is in the format of mtdX (eg: mtd4) or its label.

mtd recognizes these commands:

        unlock                  unlock the device

        refresh                 refresh mtd partition

        erase                   erase all data on device

        verify <imagefile>|-    verify <imagefile> (use - for stdin) to device

        write <imagefile>|-     write <imagefile> (use - for stdin) to device

        jffs2write <file>       append <file> to the jffs2 partition on the device

 = 572

1 write(2,0x403b54,81)        fixseama                fix the checksum in a seama header on first boot

 = 81

1 write(2,0x403ba8,79)        fixwrg                  fix the checksum in a wrg header on first boot

 = 79

1 write(2,0x403c4c,863)Following options are available:

        -q                      quiet mode (once: no [w] on writing,

                                           twice: no status messages)

        -n                      write without first erasing the blocks

        -r                      reboot after successful command

        -f                      force write without trx checks

        -e <device>             erase <device> before executing the command

        -d <name>               directory for jffs2write, defaults to "tmp"

        -j <name>               integrate <file> into jffs2 data when writing an image

        -s <number>             skip the first n bytes when appending data to the jffs2 partiton, defaults to "0"

        -p <number>             write beginning at partition offset

        -l <length>             the length of data that we want to dump

 = 863

1 write(2,0x404008,126)        -c datasize             amount of data to be used for checksum calculation (for fixtrx / fixseama / fixwrg / fixwrgg)

 = 126

1 write(2,0x404088,87)        -t <partition>          write TP-Link recovery-flag to <partition> (for write)

 = 87

1 write(2,0x4040e0,115)

Example: To write linux.trx to mtd4 labeled as linux and reboot afterwards

         mtd -r write linux.trx linux

 = 115

1 exit_group(1)

[*] Identification of missing filesytem areas.

[*] Found missing area: /etc/ld.so.cache

[*] Trying to identify this missing file: ld.so.cache

[*] Missing file /logs/s115_usermode_emulator/firmware/unblob_extracted/firmware_extract/1568982-13971496.squashfs_v4_le_extract/etc/ld.so.cache

-----------------------------------------------------------------