From the moment firmware tool I was writing evolved to be able to unpack firmwares, it has become possible to unpack Cisco 7941/7961 firmware for research purposes.
I'll write separate article about Cisco phones in general, and now some basics about firmware.
Main firmware package structure
So there is new shiny firmware, let's say cmterm-7941_7961-sip.8-3-1.zip.
After unpack there is such an exiting file list:
dsp41.8-3-0-50.sbn
jar41sip.8-3-0-50.sbn
SIP41.8-3-1S.loads
term41.default.loads
term61.default.loads
Looking on these names I want to take my favorite text editor, the greatest Microsoft Word and to dump, dump, dump immediately.
I assume you've read cisco firmware packe/unpacker project page. I'll describe the very first firmware analysis results in order of components' importance. My classification may probably be incorrect, but that is not the point right now.
Firmware files purpose
term41.default.loads and term61.default.loads
I think filenames tell us that these files contain firmware parts filenames to load from TFTP according to phone model (41/61), since firmware package is the same for the phone models pair. Actually, firmwares I coped with contained identical files for both models, as these phones are different only in minor things like number of softkeys, POE support, screen properties or smth like that. As all other files in firmware, these two are signed with digital signature, but phones accept unsigned files by default, so you can just cut it out and place unsigned file on TFTP.
cnu41.8-3-1-xx.sbn
This is the main part of phone OS, so called CNU - Cisco Native Unix. It seems to contain kernel/loader and few .trc files likely purposed to configure tracing and logging for system components. First unpacker version couldn't correctly unpack this file because it is packed with non-standard filetable entry. It was unclear how to unpack such files. Current firmware tool unpack such files to raw1, .raw2 etc. in main unpacked firmware directory for the case there is more than one such file, but for now I've never met such firmware files.
apps41.8-3-0-50
This file containts UNIX environment applications. As in all other firmware components, they have just full filenames and content. I don't know how these files are placed into phone filesystem as I don't know its type.
cvm41sip.8-3-0-50.sbn
Phone's user environment and system functions are built with use of Java. This component seems to contain compressed application or virtual machine binary, for use with classes in another firmware part. It contains makahacvm.cnz, which is actually file gzip-packed from FAT on Windows, as 'file' utility says. After unpacking we get interesting file with "DEADBEEF 1.0 (0.1) default" signature, which contains misc high-level phone functions like configuration loading/parsing and others making this device what we call Cisco 7941. I'm not Java guru, but i think this is either VM for embedded devices or specially compiled software to use with following component.
jar41sip.8-3-0-50.sbn
This file is rather strange. It contains Makaha.jar, seems to be used with VM, but also there are inetd.conf, kernel modules, init script and images displayed during misc phone operations. I don't know why all that stuff is placed here instead of apps.sbn or separate file, but this is most interesting file for those of you who just wants to get roota access on device, as it contains /etc/passwd ;) There also few files with DSP coefficients and params.
dsp41.8-3-0-50.sbn
Contains DSP firmware and loader files.