Cyrozap's Tech Projects

Computers. Circuits. Code.

Upgrading the Kyocera KR2 With the CradlePoint MBR1000 Firmware

This is the first post in my quest to get my Kyocera KR2 running some more modern firmware. For those of you who don't know, The CradlePoint MBR1000 3G/4G wireless router is essentially a rebranded Kyocera KR2 with different firmware and no PCMCIA slot. Internally, the hardware is exactly the same (except for the PCMCIA card slot). The MBR1000's firmware is more up-to-date than the KR2 firmware with support for more 3G and 4G cellular cards, so I wanted to see if I could upgrade the firmware. If I do eventually get this to work, I'll probably lose the PCMCIA card slot functionality, but it will be worth it.

Here's what I have so far:

The MBR1000 has two firmware files, both with the .bin extension. The second firmware file contains the modem drivers and is not relevant. The first firmware file, however, is much more interesting. Here's the output after I ran binwalk on theĀ u_mbr_2012_04_16.bin file:

0           0x0         Ubicom firmware header, checksum: 0x1C2EDFD2, image size: 1703936

It turns out that you can actually extract files from this archive (it's called an ARJ; I've never heard of that kind of archive before). So, using "The Archive Browser" on my Mac (it's a very good utility, by the way), I extracted a file called nightlies/mbrcore_2_0_0_Release_2012_04_16/build/bin/img.bin from it. This is what it's called when I extract it using The Archive Browser. When I use 7-Zip to extract it, instead of getting that directory structure in the file name, the directory structure is actually visible inside 7-Zip and you can browse through it. There aren't any additional files, though, so either way you get an image file out of it. Here's the binwalk output for that file:

97386       0x17C6A     JFFS2 filesystem (old) data big endian, JFFS node length: 53663
1552871     0x17B1E7    LZMA compressed data, properties: 0x84, dictionary size: 1393557504 bytes, uncompressed size: 606931776 bytes
1555019     0x17BA4B    LZMA compressed data, properties: 0xB8, dictionary size: 756023296 bytes, uncompressed size: 417925696 bytes
1557687     0x17C4B7    LZMA compressed data, properties: 0xE0, dictionary size: 403701760 bytes, uncompressed size: 680856384 bytes
1558159     0x17C68F    LZMA compressed data, properties: 0x84, dictionary size: 655360000 bytes, uncompressed size: 748555072 bytes
1990922     0x1E610A    PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced
2019004     0x1ECEBC    TIFF image data, big-endian
2038803     0x1F1C13    GIF image data 8289 x 256
2044879     0x1F33CF    GIF image data, version 89a, 740 x 30

Wow! I wish I had this program a few years ago... Anyways, this is all very interesting stuff. The PNG (if you haven't already guessed from the size) is the favicon for the web interface; I have no idea what the TIFF is; after a little poking around, I found that the "8289 x 256" GIF is simply a spinning "loading" disk from here; and that last GIF is just some sort of simple footer image. All in all, nothing too special here. On to the Kyocera firmware!

The KR2 only uses one firmware image, the latest is called ZE1004.bin. Here's the binwalk output for it:

0           0x0         Ubicom firmware header, checksum: 0x6953B032, image size: 1507328
978291      0xEED73     TIFF image data, big-endian
1362951     0x14CC07    GIF image data, version 89a, 4128 x 256
1369624     0x14E618    GIF image data, version 89a, 16 x 16
1382219     0x15174B    TIFF image data, big-endian

Unfortunately, I wasn't able to extract anything from ZE1004.bin. Oh, well.

Noting that ZE1004.bin and u_mbr_2012_04_16.bin both had Ubicom firmware headers, I decided to compare them using "Hex Fiend." From that hex comparison, I found that that the two files are remarkably similar. First of all, they are cllose to each other in filesize (1.7 and 1.5 MB). Second, for the first 1.5 kB, there are only 37 differences with many of them being simple byte replacements. After that, the files become very different for a little over a megabyte. After that difference, though, there's a bunch of "FF" bytes and these continue until the end of the file where there is a 4 byte value that varies by one byte between the two files and is certainly not a checksum. In the MBR1000 file, you could remove around 200 kB worth of "FF" after the main code block and make it the same size as the KR2 file. After looking through the two files, it seems as though the KR2 file has much more code than the MBR1000 file, but this can be explained by the fact that the KR2 firmware has its modem drivers built-in.

At this point, I believe that if I can change the MBR1000 firmware to look like the KR2 firmware a little, I'll be able to trick my Kyocera KR2 into upgrading from the MBR1000 firmware file.

Things are beginning to look good!