SonicWALL TZ 170 Wireless (APL14-034)

The CPU is marked with 156-000022-00, JAL-AHG52G, and 0904B.

The power adapter included with the device is a DVE DSA-0151D-05 (5V, 2.4A).

Specs
Platform Serial Num. = ? FCC ID = ? Industry Canada ID = ? CPU Type = SONICWALL 156-000022-00 MIPS Rev = ? CPU Speed = ? Bus = ? Flash Type = ? Flash Chip = TOSHIBA TC58FVM6T2AFT65 Flash Size = 8 MB Max Firmware Size = ? RAM Size = 64 MB RAM Chip = INFINEON HYB39S256160DTL-7 nvram Size = ? ETH chip1 = SonicWALL Model? ETH chip2 = Broadcom BCM5221A4KPT ETH chip3 = Broadcom BCM5221A4KPT Switch = Broadcom BCM5325MA2KQM Console = TEXAS INSTRUMENTS MAX3243C Port-based vlan = ? 802.1q vlan = ? Ethernet Port Count = 1-10/100-WAN 5-10/100-LAN Wired Standard = IEEE 802.3/3u Ethernet interface OUI = 00:06:B1 boot_wait = ? bootloader = ? Flash Card Socket/Type = ? SD/MMC Mod Support = ? Expansion IF types = 1 PoE = ? Power = 5 VDC, 2.4 A Connector type/size = Barrel plug LEDs/Color = Green Size = ? USB = ? Serial Port = Management port on back JTAG Port = ? Supported by TJTAG/Version = ? Special Features = ? Radio WI1 module = Senao NL-3054MP+ Frisbee WI1 module IF = Mini PCI Wireless Radio = Intersil ISL3686A WLAN DSP processor = Intersil ISL3880 Wireless interface OUI = 00:06:B1 Antenna Connector Type = U.FL, RP-TNC MIMO status = ? Wireless Standard = IEEE 802.11b/g 802.11g = 6, 9, 12, 18, 24, 36, 48, 54 Mbps 802.11b = 1, 2, 5.5, 11 Mbps WiFi Operating Frequency = 2.4 GHz Radio cor_rev = ? Radio Capabilities = ? Other Default IP address = 192.168.168.168 Default login user = admin Default login password = password Default SSID = sonicwall OEM = ? 3rd Party Firmware Support = ?

Links of Interest

 * (INFODUMP) Sonicwall TZ-170

Serial Pinouts
TP1 > VCC TP2 > TST_CLK TP3 > 3V3 TP4 > 1V8 TP5 > GND TP6 > GND

Pictures
Images FCCID 

DD-WRT Notes
Can't seem to find a TX or RX, but then again I'm not terribly familiar with serial communications either. Maybe I missed something?

Firmware Offsets
0x0000 > Section 1        [128 bytes] *[49 AF 08 12 30 2C 02 14] "Magic" header, 8 bytes. Found in all firmware images for TZ170 and one image for TZ-150.

0x0080 > Section 2        [640 bytes]

0x0300 > Section 3        [128 bytes] * 0x0300 - Always "SonicOS Standard" from what I can tell * 0x0320 - Firmware revision number, displayed verbatim in web interface * 0x0340 - Compiling machine name (?) * 0x0380 - Compiling user name (pseudo-confirmed)

0x03c0 > Section 4 [data] [ to  EOF ]

Mystery Filesystem
I could almost write an entirely different post for all the time that I spent decoding this. Having very little prior experience with filesystems, it was definitely a learning adventure to say the least. I haven't been able to figure out how the device decides where this filesystem begins and where it ends, but I am 100% certain that I've decoded the FAT table for whatever filesystem this is. It's worth noting that when you do, however, find the beginning of the FAT table, from that address to the end of the firmware image is the entirety of the filesystem (checked and confirmed by myself on multiple firmware versions).

A FAT entry for this system looks as follows:

00 00 3E C6 00 00 25 68 00 00 86 7A 0D 65 76 65 6E 74 6C 69 73 74 2E 74 78 74 00 . .  >  Æ. . %  h. . †  z. e v  e  n  t  l  i  s  t. t x  t.

0x0000 - 0x0003 <> Location of file, offset from head of filesystem 0x0004 - 0x0007 <> Size of file in filesystem 0x0008 - 0x000B <> Size of file extracted and uncompressed/decrypted 0x000C <> Length of filename text 0x000D - to length <> filename + null character

The head of the filesystem is calculated by finding the first entry in the FAT, and subtracting 4 bytes. The 4 bytes before the first entry indicate how many files are stored in the system. For instance, for firmware version 3.1.0.15, there are 511 files contained in the image (encrypted of course). If you do a hex search for 0x01ffh you will find two entries. The first is in the header, the second is about halfway to the end of the file. The second one is what we're looking at. From there, we know that immediately following this WORD value is the first entry in the FAT for "eventlist.txt". The end of the filesystem can be calculated using the first FAT entry. For the "footer" of this filesystem, there are 8 bytes (two WORD values), right before the offset indicated by the first FAT entry. I have as of right now been unable to figure out what these values are in relation to everything else. They're not a static signature as they vary slightly between firmware versions. However, from what I can tell the first 3 bytes are always [08h 78h 9Ch] (unconfirmed). Hope I haven't forgotten anything!

Firmware File Names/Versions
* sw_tz170_s_eng_3.0.0.4.sig - Version 3.0.0.4  - [ MD5: d3f1c4a1db420ce05cec01a4b822baae ] * sw_tz170_s_eng_3.1.0.15.sig - Version 3.1.0.15 - [ MD5: 25f33a66b98e530766b875b76b382370 ] * sw_tz170_s_eng_3.1.0.2.sig - Version 3.1.0.2  - [ MD5: a2a66ddc1921cff321c16202d3c704dd ]

Miscellaneous Points of Note

 * The system OS is DEFINITELY VxWorks based...probably.
 * As of right now I can not get the TZ-170 to take any modified firmware image. This consisted of editing the "username" field in the header, to which the SonicWall cried out as it was not a "signed" firmware image.
 * I have just ordered an RS-232 TTL converter, and as soon as that gets here I will be poking around on the board looking for a secondary UART port. There are some nice pin groupings on the PCB that I can't wait to probe!
 * Figuring that I won't have any luck with the TTL converter, I will be trying to find the JTAG pinout of the processor, and hopefully I can dump something interesting/useful. Maybe I'll be able to sign those images! I'll be doing this with an Arduino, because I feel this affords me more flexibility when probing for pins. Plus, you know, Arduino!
 * This took me an hour and a half to organize and write, but probably just a few minutes for you to read! :]

Requests/How You Can Help
My eventual goal is to port OpenWRT/DD-WRT to this appliance, and hopefully this whole series of appliances! But as of right now I have hit a dead end. So if you have any ideas, experience, or hardware you'd like to contribute to this cause, please feel free to post/message me! Particularly, if you can shed any light onto how these images are encrypted/signed, I would be forever grateful. Also, you're wondering how you're supposed to obtain the firmware images listed above. There is a reason I have included the filename + the MD5 checksum. I'm not entirely sure, however, if Googling these files will return any results. If you would like me to send these images to you for reversing purposes, just message me. I have a nice little 7z archive will all three versions mentioned above sitting on my desktop. Lastly, thank you for taking the time to read this!