Modifying / Installing stock firmware on ISP Branded WRE2205

Question

Our ISP, MWeb, gave us a free router and Wifi extender (WRE2205v2) as part of a new promotion. Neither of them really work at all (the extender works for about a minute then fails for no apparent reason). Acording to reviews, it should be a decent repeater, but it seems Mweb has completely screwed up the firmware.

This blog post shows how to get very basic root access (it's running embedded Linux) on the device (the security is... bad). So far I've worked out it's a MIPS device (running file on an executable gives ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV) and the file system is squash-fs, so read only. I can also copy files to/from the device using tftp.

I also know that both the branded firmware and the stock firmware use a binary called fw_upgrade to flash a new firmware. I tried decompiling them using http://decompiler.fit.vutbr.cz/decompilation/ but I haven't had much luck there. The branded one has a bit more code which I assume checks something about the new firmware and prevents the stock firmware from being flashed. Finally I tried copying the stock fw_upgrade to the device and running it but it fails without an error message.

What else can I do to get the stock firmware running?

Answer 1

A cursory examination of the two files suggests that the main difference in upgrade paths between the two binaries is that the branded one calls a function named chkfwid. If I'm reading the code correctly, it searches the first 0x800 bytes for the four ASCII bytes 1213; if found, the function succeeds, else it fails and the upgrade is terminated.

Answer 2

I just got it working. Turns out I didn't need to modify the binary. After extracting the squash-fs file system from the update file, I managed to copy fw_update to the device using tftp. Running that binary (/etc/fw_update upg fw.bin) instead of the ISP one worked and flashed the stock firmware. The binary needs to be copied to /etc or /var because the rest is read-only.