NOTE: During configuration or flashing a device, the only that should be hooked to the device is the computer and power.

 This section is in need of cleanup!

Platform

Serial Num. = ?
FCC ID = ?
CPU Type = SONICWALL 156-000022-00
MIPS Rev = ?
CPU Speed = ?
Bus = ?
Flash Type = ?
Flash Chip = TOSHIBA TC58FVM6T2AFT65
Flash Size = 8MB
Max Firmware Size = ?
RAM Size = 64MB
RAM Chip = INFINEON HYB39S256160DTL-7
nvram Size = ?
Switch = Broadcom BCM5325MA2KQM
WAN = Broadcom BCM5221A4KPT
OPT = Broadcom BCM5221A4KPT
Console = TEXAS INSTRUMENTS MAX3243C
Port-based vlan = ?
802.1q vlan = ?
Ethernet Port Count = ?
Wired Standard = IEEE 802.3?
boot_wait = ?
bootloader = ?
Flash Card Socket/Type = ?
SD/MMC Mod Support = ?
MiniPCI slots = No
PoE = ?
Power = 5V/2.4A
Color of LEDs = Green
Size = ?
USB = ?
Serial Port = Management port on back
JTAG Port = ?
Supported by TJTAG/Version = ?
Special Features = ?

Radio

Wireless Radio = ?
WLAN DSP processor = ?
Antenna Connector Type = ?
Wireless Standard = ??? IEEE 802.11a/b/g/n
WiFi Operating Frequency = ?
 ??? 802.11n = up to 300Mbps
 ??? 802.11g = 6, 9, 12, 18, 24, 36, 48, 54Mbps
 ??? 802.11b = 1, 2, 5.5, 11Mbps
 ??? 802.11a = 6, 9, 12, 18, 24, 36, 48, 54Mbps
Radio cor_rev = ?
Radio Capabilities = ?

• (INFODUMP) Sonicwall TZ-170

 This section is in need of cleanup!

 This section is in need of cleanup!

 This section is in need of cleanup!

JTAG PinoutsEdit

 This section is in need of cleanup!

JTAG RecoveryEdit

 This section is in need JTAG Recovery Instructions!

Serial PinoutsEdit

TP1 > VCC
TP2 > TST_CLK
TP3 > 3V3
TP4 > 1V8
TP5 > GND
TP6 > GND

Hyper terminal Setup in Windows XPEdit

In Windows XP, Click Start Button - All Programs - Accessories - 
   Communication - HyperTerminal
Enter a name for the connection, Click ok
Choose com port you adapter is plugged into, Click ok
Set:
 Bits per second = 115200
 Data Bits = 8
 Parity = none
 Stop bits = 1
 Flow control = none
Click ok
Click File - Save As, and select a place to save it to so you 
             don't have to enter the settings again.

Putty Setup in Windows XPEdit

After installing putty, run it
 Serial line = The COM port your using for serial (ie. COM3)
 Speed = 115200
Click on Serial under Connection
 Serial line to connect to = same as above (Serial line)
 Speed (baud) = 115200
 Data bits = 8
 Stop bits = 1
 Parity = None
 Flow control = None
Click Session
 Enter a name for your connection under saved sessions
Click Save
Click Open

Serial RecoveryEdit

 This section is in need of Serial Recovery Instructions!

 This section is in need of cleanup!

 This section is in need of cleanup!

 This section is in need of cleanup!

 This section is in need of cleanup!

Can't seem to find a TX or RX, but then again I'm not terribly familiar with serial communications either. Maybe I missed something?

Firmware OffsetsEdit

0x0000 > Section 1         [128 bytes]
  * [49 AF 08 12 30 2C 02 14] "Magic" header, 8 bytes. Found in all firmware images for TZ170
                               and one image for TZ-150.

0x0080 > Section 2         [640 bytes]

0x0300 > Section 3         [128 bytes]
  * 0x0300 - Always "SonicOS Standard" from what I can tell
  * 0x0320 - Firmware revision number, displayed verbatim in web interface
  * 0x0340 - Compiling machine name (?)
  * 0x0380 - Compiling user name (pseudo-confirmed)

0x03c0 > Section 4 [data]  [ to  EOF ]

Mystery FilesystemEdit

I could almost write an entirely different post for all the time that I spent decoding this. Having very little prior experience with filesystems, it was definitely a learning adventure to say the least. I haven't been able to figure out how the device decides where this filesystem begins and where it ends, but I am 100% certain that I've decoded the FAT table for whatever filesystem this is. It's worth noting that when you do, however, find the beginning of the FAT table, from that address to the end of the firmware image is the entirety of the filesystem (checked and confirmed by myself on multiple firmware versions).

A FAT entry for this system looks as follows:

00 00 3E C6 00 00 25 68 00 00 86 7A 0D 65 76 65 6E 74 6C 69 73 74 2E 74 78 74 00
.  .  >  Æ  .  .  %  h  .  .  †  z  .  e  v  e  n  t  l  i  s  t  .  t  x  t  .

0x0000 - 0x0003 <> Location of file, offset from head of filesystem
0x0004 - 0x0007 <> Size of file in filesystem
0x0008 - 0x000B <> Size of file extracted and uncompressed/decrypted
         0x000C <> Length of filename text
0x000D - to length <> filename + null character

The head of the filesystem is calculated by finding the first entry in the FAT, and subtracting 4 bytes. The 4 bytes before the first entry indicate how many files are stored in the system. For instance, for firmware version 3.1.0.15, there are 511 files contained in the image (encrypted of course). If you do a hex search for 0x01ffh you will find two entries. The first is in the header, the second is about halfway to the end of the file. The second one is what we're looking at. From there, we know that immediately following this WORD value is the first entry in the FAT for "eventlist.txt". The end of the filesystem can be calculated using the first FAT entry. For the "footer" of this filesystem, there are 8 bytes (two WORD values), right before the offset indicated by the first FAT entry. I have as of right now been unable to figure out what these values are in relation to everything else. They're not a static signature as they vary slightly between firmware versions. However, from what I can tell the first 3 bytes are always [08h 78h 9Ch] (unconfirmed). Hope I haven't forgotten anything!

Firmware File Names/VersionsEdit

  * sw_tz170_s_eng_3.0.0.4.sig  - Version 3.0.0.4  - [ MD5: d3f1c4a1db420ce05cec01a4b822baae ]
  * sw_tz170_s_eng_3.1.0.15.sig - Version 3.1.0.15 - [ MD5: 25f33a66b98e530766b875b76b382370 ]
  * sw_tz170_s_eng_3.1.0.2.sig  - Version 3.1.0.2  - [ MD5: a2a66ddc1921cff321c16202d3c704dd ]

Miscellaneous Points of NoteEdit

• The system OS is probably VxWorks based...
• As of right now I can not get the TZ-170 to take any modified firmware image. This consisted of editing the "username" field in the header, to which the SonicWall cried out as it was not a "signed" firmware image.
• I have just ordered an RS-232 TTL converter, and as soon as that gets here I will be poking around on the board looking for a secondary UART port. There are some nice pin groupings on the PCB that I can't wait to probe!
• Figuring that I won't have any luck with the TTL converter, I will be trying to find the JTAG pinout of the processor, and hopefully I can dump something interesting/useful. Maybe I'll be able to sign those images! I'll be doing this with an Arduino, because I feel this affords me more flexibility when probing for pins. Plus, you know, Arduino!
• This took me an hour and a half to organize and write, but probably just a few minutes for you to read! :]

Requests/How You Can HelpEdit

My eventual goal is to port OpenWRT/DD-WRT to this appliance, and hopefully this whole series of appliances! But as of right now I have hit a dead end. So if you have any ideas, experience, or hardware you'd like to contribute to this cause, please feel free to post/message me! Particularly, if you can shed any light onto how these images are encrypted/signed, I would be forever grateful. Also, you're wondering how you're supposed to obtain the firmware images listed above. There is a reason I have included the filename + the MD5 checksum. I'm not entirely sure, however, if Googling these files will return any results. If you would like me to send these images to you for reversing purposes, just message me. I have a nice little 7z archive will all three versions mentioned above sitting on my desktop. Lastly, thank you for taking the time to read this!

Hardware ModificationEdit