[Time Capsule] run SSH on its NetBSD?

**rhcp** · 05-03-2008 07:16 PM

Heya,

Did anyone ever look into this?

It seems the firmware is crypted. at first glance.

Let me know. You may know me from openwii.org.

Thanks,

Rhcp
http://www.crond.org
http:/www.openwii.org

**Rello** · 05-07-2008 11:52 AM

Hi,

I think so.
try downloading the file
http://apsu.apple.com/data/107/061-4...3.1.basebinary

Any idea on how to start looking into this?
how to begin?

**Rello** · 06-25-2008 11:06 PM

bump
anyone on how to start to decrypt the file?

**Rello** · 07-01-2008 11:25 PM

Hi,

the new Version for the TC 7.3.2 came out and I did a complete network capture of all packages.
How can we use this to understand the update process?

**sam** · 07-02-2008 09:43 PM

Can you post this dump here? Maybe place it on rapidshare for us all to get and research.

**Rello** · 07-03-2008 12:49 AM

here they are.

the start of the airport-utility (where it searches and finds the TC)
http://rapid $ hare.com/files/126660095/airport-utility-start.pcap.html

The download of the firmware 7.3.2 (might not be that interesting)
ttp://rapid $ hare.com/files/126660682/TC-Update-Download.pcap.html

And the update process itself
http://rapid $ hare.com/files/126661240/TC-Update-Process.pcap.html

...these are all files I took with wireshark...

I could see that the communication runs via the port 5009 on the TC.
I think there are 2 questions:
1) is it possible to connect to the 5009 port somehow and do something?
2) or do we need to modify the firmware itself in order to enable SSH; Firefly Media Server and so on...

thank you for your help!

**Rello** · 07-14-2008 08:11 PM

hey guys,

i still need some help here - also I understand that the focus in on the iPhone now...

without having too much insights I would guess that the TC-Firmware (the .basebinary) is comparable to the iPhone: it is also an encrypted firmware I guess

I saw this thread regarding the dectyption of firmware
http://hackint0sh.org/forum/showthread.php?t=40063

but can we use a similar approach to see what is in the .basebinary?
Any hint on where to start; what to look for; what to "learn";...
would be great!!!

**Rello** · 07-16-2008 01:17 PM

anyone please?

**sam** · 07-16-2008 02:06 PM

I think the basebinary is more a much basic image than a actual firmware compareale to the iphone ipsw/dmg

As you can see from the file'S descritpr header, it is some kin d of propetery binary firmware format:
41 50 50 4C 45 2D 46 49 52 4D 57 41 52 45 00 00 00 00 00 6B 07 31 80 02 00 00 00 00 00 00 00 00 | APPLE-FIRMWARE.....k.1..........
41 50 50 4C 45 2D 46 49 52 4D 57 41 52 45 00 00 00 00 00 6B 07 31 80 02 00 00 00 02 00 00 00 00 | APPLE-FIRMWARE.....k.1..........

I have checked the history of .bsebinary and came up with that the same format is used for airport extreme before. There are also upgrades with utilities to upgrade device. I will take alook what it might be and talk back to you if I find something.

At least the updater has some intresting functions in it like _ACPVerifyAppleFirmwareImage