Inspecting the firmware of a D-Link DWR-923 4G Modem

This will be a step by step on how to extract different parts of the firmware on a D-Link 4G router. This is just for fun and out of curiosity to see what they are using.

First, let get some tools. When inspecting/extracting and reverse engineering something you can’t live without a tool called binwalk. I downloaded 1.2.2 from here and after brew install libmagic I got it to compile on OS X Mavericks.

Remember to edit your ~/.bash_profile and add export PYTHONPATH=/usr/local/lib/python2.7/site-packages:$PYTHONPATH to it to get it to compile.

The firmware for the modem I got from this Swedish tech site.

Lets binwalk

Open the terminal and go to the dir where your firmware is and type binwalk OG3611_v1.4.18.37_gui.img.


14156       0x374C      gzip compressed data, from Unix, last modified: Fri Oct  4 04:31:47 2013, max compression
2589708     0x27840C    gzip compressed data, was "rootfs.ext2", from Unix, last modified: Fri Oct  4 04:32:16 2013, max compression
4980736     0x4C0000    Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 20383349 bytes,  1506 inodes, blocksize: 131072 bytes, created: Fri Oct  4 04:32:55 2013 

As you can see, there are three layers in this image: [Some data][rootfs][filesystem].

Right now, I’m interested in the filesystem. As you can see, it’s a Squashfs filesystem (very common fs in firmwares).

Chop off what we want

I want to check out the filesystem at the end of the firmware. To do that I use dd which exists in all Mac’s. I want to start the chopping as address 4980736 and I want it to be 20383349 bytes long.

dd if=OG3611_v1.4.18.37_gui.img bs=1 skip=4980736 count=20383349 of=d923.squashfs

That will create a file called d923.squashfs in the same dir as you’re in.

Read squashfs

To read a squashfs filesystem, there is a tool called squashfs tools.

Download and unpack it.

Install it on OS X like this.

cd squashfs-tools

sed -i.orig 's/FNM_EXTMATCH/0/; s/sysinfo.h/sysctl.h/; s/^inline/static inline/' mksquashfs.c unsquashfs.c

//Paste all these rows (until END) at the same time
cat <<END >> xattr.h
#define llistxattr(path, list, size) \
(listxattr(path, list, size, XATTR_NOFOLLOW))
#define lgetxattr(path, name, value, size) \
(getxattr(path, name, value, size, 0, XATTR_NOFOLLOW))
#define lsetxattr(path, name, value, size, flags) \
(setxattr(path, name, value, size, 0, flags | XATTR_NOFOLLOW))


sudo cp mksquashfs unsquashfs /usr/local/bin

Lets try it.

unsquashfs d923.squashfs

Wow, that creates a dir called squashfs-root in the dir.


Now you can browse all files and check them out. In /var/www you have all HTML pages for the admin UI for the modem.


All lua (lua is like a lightweight PHP, Python, Ruby, whatever that is commonly used in these types of firmware since it’s… well… lightweight) files are in /share/lua/5.1/.

And you can see that the creators of these files are TeamF1.

And that’s it!

Let me know if you find anything interesting.

This post was inspired by The Hacker blogs post on backdooring the Linksys WRT54G.