SonicWALL TZ 170 10 Node (APL11-029)

Hardware specification

 * CPU: SonicWall MIPS
 * Memory: 64MB (SDRAM)
 * Storage: 8MB NOR Flash
 * Network: 7x Fast Ethernet port
 * Power: 5V, 2.4A via barrel

Pictures
User Images 

Firmware Offsets
0x0000 > Section 1        [128 bytes] * [49 AF 08 12 30 2C 02 14] "Magic" header, 8 bytes. Found in all firmware images for TZ170 and one image for TZ-150.

0x0080 > Section 2        [640 bytes]

0x0300 > Section 3        [128 bytes] * 0x0300 - Always "SonicOS Standard" from what I can tell * 0x0320 - Firmware revision number, displayed verbatim in web interface * 0x0340 - Compiling machine name (?) * 0x0380 - Compiling user name (pseudo-confirmed)

0x03c0 > Section 4 [data] [ to  EOF ]

Mystery Filesystem
I could almost write an entirely different post for all the time that I spent decoding this. Having very little prior experience with filesystems, it was definitely a learning adventure to say the least. I haven't been able to figure out how the device decides where this filesystem begins and where it ends, but I am 100% certain that I've decoded the FAT table for whatever filesystem this is. It's worth noting that when you do, however, find the beginning of the FAT table, from that address to the end of the firmware image is the entirety of the filesystem (checked and confirmed by myself on multiple firmware versions).

A FAT entry for this system looks as follows:

00 00 3E C6 00 00 25 68 00 00 86 7A 0D 65 76 65 6E 74 6C 69 73 74 2E 74 78 74 00 . .  >  Æ. . %  h. . †  z. e v  e  n  t  l  i  s  t. t x  t.

0x0000 - 0x0003 <> Location of file, offset from head of filesystem 0x0004 - 0x0007 <> Size of file in filesystem 0x0008 - 0x000B <> Size of file extracted and uncompressed/decrypted 0x000C <> Length of filename text 0x000D - to length <> filename + null character

The head of the filesystem is calculated by finding the first entry in the FAT, and subtracting 4 bytes. The 4 bytes before the first entry indicate how many files are stored in the system. For instance, for firmware version 3.1.0.15, there are 511 files contained in the image (encrypted of course). If you do a hex search for 0x01ffh you will find two entries. The first is in the header, the second is about halfway to the end of the file. The second one is what we're looking at. From there, we know that immediately following this WORD value is the first entry in the FAT for "eventlist.txt". The end of the filesystem can be calculated using the first FAT entry. For the "footer" of this filesystem, there are 8 bytes (two WORD values), right before the offset indicated by the first FAT entry. I have as of right now been unable to figure out what these values are in relation to everything else. They're not a static signature as they vary slightly between firmware versions. However, from what I can tell the first 3 bytes are always [08h 78h 9Ch] (unconfirmed). Hope I haven't forgotten anything!

Firmware File Names/Versions
* sw_tz170_s_eng_3.0.0.4.sig - Version 3.0.0.4  - [ MD5: d3f1c4a1db420ce05cec01a4b822baae ] * sw_tz170_s_eng_3.1.0.15.sig - Version 3.1.0.15 - [ MD5: 25f33a66b98e530766b875b76b382370 ] * sw_tz170_s_eng_3.1.0.2.sig - Version 3.1.0.2  - [ MD5: a2a66ddc1921cff321c16202d3c704dd ]

Miscellaneous Points of Note

 * The system OS is probably VxWorks based...
 * As of right now I can not get the TZ-170 to take any modified firmware image. This consisted of editing the "username" field in the header, to which the SonicWall cried out as it was not a "signed" firmware image.
 * I have just ordered an RS-232 TTL converter, and as soon as that gets here I will be poking around on the board looking for a secondary UART port. There are some nice pin groupings on the PCB that I can't wait to probe!
 * Figuring that I won't have any luck with the TTL converter, I will be trying to find the JTAG pinout of the processor, and hopefully I can dump something interesting/useful. Maybe I'll be able to sign those images! I'll be doing this with an Arduino, because I feel this affords me more flexibility when probing for pins. Plus, you know, Arduino!
 * This took me an hour and a half to organize and write, but probably just a few minutes for you to read! :]

Requests/How You Can Help
My eventual goal is to port OpenWRT/DD-WRT to this appliance, and hopefully this whole series of appliances! But as of right now I have hit a dead end. So if you have any ideas, experience, or hardware you'd like to contribute to this cause, please feel free to post/message me! Particularly, if you can shed any light onto how these images are encrypted/signed, I would be forever grateful. Also, you're wondering how you're supposed to obtain the firmware images listed above. There is a reason I have included the filename + the MD5 checksum. I'm not entirely sure, however, if Googling these files will return any results. If you would like me to send these images to you for reversing purposes, just message me. I have a nice little 7z archive will all three versions mentioned above sitting on my desktop. Lastly, thank you for taking the time to read this!