weird file format.

[l0ngb1t]

I have a file, probably it's a configuration file from a router or rom file, i am trying to display it in clear text, how ever if you open it in notepad++ you get some gibberish stuff with few clear texts words within, issuing the following command on a unix machine :

Code: Select all

file FILE_NAME

provide the following output

Code: Select all

PDP-11 UNIX/RT ldp

i google's alot about the LDP file format without getting any good answer...
so any ideas or hints?

[bad_brain]

hm, try this one and post the output:

Code: Select all

od -bc FILE_NAME | head

it might give some more info...

[l0ngb1t]

same result as hex-workshop... i used it to check the file...
i'll give it a show with binwalk once i install it.

EDIT: no result for binwalk also.

[bad_brain]

hm, well, from what I see it's not the "ldp" part which is important, it's the "PDP-11" one.
it points, as you have mentioned, to a .rom file which holds firmware for a router or embedded device in general:

http://en.wikipedia.org/wiki/PDP-11_architecture" onclick="window.open(this.href);return false;

aren't there any visible comments when you load it into a hex editor?

[l0ngb1t]

at the beginning

Code: Select all

Hdbgarea............H...

after few hunderds of 00's

Code: Select all

.6....boot........... ...Hspt.dat............hautoexec.net...

some 00's then the gibberish part and it ends by

Code: Select all

wan fakemac pvc run.wan adsl rate off.ip rip merge on.w dmt2 db tlb 32.ether driver etherppp on.w ghs set multi_number 3 3.w dmt2 set largeD 2.s dhcpprobe no.s cwmp setnovaluetype 1.ether portreverse on.sys cwmp recvtimeout 30.ip nat loopback on.wan dmt2 set pmonoff off.wan dmt eoc dyingasp off.w dmt2 set lpr off.rt mac2 ssid TP-LINK_.ip rip activate..ip icmp discovery enif0 off.ppp ipcp compress off.sys wdog sw on.sys quick enable

my goal is to convert the gibberish part to clear text... the file belongs to a tp-link modem.

[l0ngb1t]

here's the file http://www.sendspace.com/file/0o7ujx

EDIT: it turned out to be an LZW compressed binary file... working on reversing that... still no luck

[bad_brain]

have a look at: http://www.onlinedisassembler.com/odaweb/O2ayrC" onclick="window.open(this.href);return false;

takes a bit to load, the interesting stuff in in the functions on the left.
if it wasn't compiled as debug version you will not find much info though...

[l0ngb1t]

this guy had it figured out 4 years ago
http://www.hakim.ws/huawei/rom-0/kender.html

[bad_brain]

duh...

but I actually doubt this will have a real advantage to the hex version...I mean, instead of the text strings you get the text string and just some pointers, right? or do you get the full strings like "wep key == blahblah" ?

[l0ngb1t]

only part of the file is compressed using LZS compression, so by decompressing it you get clear text strings representing the admin password of the modem, wireless key, pppoe auth creds....

am trying to write an LZS decompression code with PHP... if anyone has such thing please let me know