I was asking around the Hive on Tuesday June 14th about anyone who
might have experience with JTAG mapping and firmware reverse
engineering in regard to routers. Since I know a lot of people don't
make it to the Hive regularly, I figured I'd post here in addition.
I'm currently working to reverse engineer the Sonicwall TZ-170 network
appliance. For those of you not familiar with this device, it is a
corporate level VPN/Router/Firewall with an 800Mhz(?) processor and
64MB of RAM. Currently this little devil runs a special Sonicwall
"operating system" called SonicOS, which is based on VXWorks. I've
mapped all the chips and have all of their datasheets (minus the main
processor which looks to be a proprietary MIPS proc), but I don't know
much in the way of JTAG mapping and tracing leads on the PCB. What I'd
REALLY love to do is read the physical flash chip with some sort of
hacked together device, but that's a big wish with little chance of it
actually happening that way. Right now I'm focusing mainly on mapping
the firmware structure, but again, it seems to be a format
specifically developed for this hardware.
If anyone has ANY sort of experience with anything even remotely
related to what I'm trying to accomplish, I'd love feedback and/or
advice. My eventual goal is to put something like OpenWRT on it, or
something that can benefit from running with 64MB of RAM and can fit
in an 8MB flash area. I'm also open to hacking around with other
routers at the Hive if you have one that no one has gotten into yet.
Thanks in advance guys!