22 February 2010

For quite some time I’ve wanted to reverse engineer the airport express base station. There are two reasons for this. The first is that within this firmware are the private Airtunes keys. The second and more important part, at least for me, is that it is almost identical to a wrt54g plus it adds usb and sound-card. Getting linux/openwrt running on this would be wicked cool. The main issue with reversing apples firmwares for these access points is that they are encrypted and the airport express decrypts the firmware when flashing so you can’t really do anything fun with the firmware-update files.

A time back I posted on twitter that I needed a broken airport expresss! I go really lucky, a friend of mine saw the tweet and gave me his broken airport. I disassembled it and found out that the flash was AT45DB321B, which is nice because Atmel keeps their datasheet public, the not so good news was that it was BGA-mounted and my old soldering station wasn’t up for this. Everybody knows I’m a real ebay-whore, so I went to ebay and ordered this excellent hakko rework-station clone (YIHUA 852D+). This had the hot-air-gun that I needed. Here is a short video when I’m detaching the IC:

After desoldering I glued it to a breadboard and hooked up some wires, this was a bit tricky as this is quite small.

Photo of flash

After everything was hooked up, I attached it to my Bus Pirate and after a lot of trial and error managed to communicate with the chip.

Photo of my desk

Finally i wrote this small python-script that dumped the content of the chip.

I’m now in the possession of the unencrypted firmware for airport express, but still there are a lot of stuff remaing. The firmware is compressed, and I have had no success brute-force inflating it, so I may have to start reverse-engineering the bootloader just to get to the uncompressed firmware. Another option could be running it under qemu, the decompression-part that is, should be fairly generic MIPS-code. A third option would be to flash it on my wrt54g and do jtag-debugging, if I’m really lucky I’d get serial-port and bootloader on the linksys.

There are a lot for options going forward, I’ll post a new blog-entry when I make further progress. Please excuse the bad language in this post, I don’t want to spend time on grammar now that I have this very sexy binary blob right in front of me.

Happy hacking!