3rd_party

Firmware format

• Only seen in the tplink deco firmware for Deco S4 V2, tplink allows specially crafted firmware to bypass the signature check when uploaded to web-ui based firmware update mechanism
• Binary references "nm_upgrade3rdFwupFile" and "3rd Firmware", which I assume means 3rd party?
• No tool written yet (plenty of other bypasses on these devices)

Firmware description

0x0 = size of firmware file (>0x1814)
0x4 = CRC32 of remaining file contents
0x8 = 0xDEADBEEF
0xC = product info section (length 0x40, "product_name:xxx\nproduct_version:x.x.x.x\n")
0x4C = "os-linux"
0x54 = kernel write location in flash (=0x200000)
0x58 = kernel size (0x1000 < x < 0xE00000)
0x60 = kernel location in fw file (=0x14c)
0x64 = kernel size
0x68 = "rootfs"
0x6A = rootfs write location in flash (0x200000 + kernel_len)
0x6E = rootfs size (0x1000 < x < 0xE00000)
0x72 = rootfs location in fw file (kernel_len + 0x14c + 0x01 spacer)
0x76 = rootfs size
0x14C = <kernel data>
0x14C+kernel_len = 0x01 spacer (any value)
0x14C+kernel_len+0x01 = <rootfs data>

Possible Applicable Devices

• Deco S4 V2