逆向工程 - 倒车 DLink DIR100 固件 - 吾爱随笔录

我正在尝试提取此固件，但遇到了一些问题。binwalk固件的第一讲展示了这一点：

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
48          0x30        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 992240 bytes
275832      0x43578     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 65011 bytes
312165      0x4C365     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6425 bytes
314338      0x4CBE2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6198 bytes
316542      0x4D47E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11645 bytes
319496      0x4E008     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9923 bytes
322366      0x4EB3E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3981 bytes
323721      0x4F089     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1269 bytes
324228      0x4F284     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9785 bytes
327024      0x4FD70     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9717 bytes
329754      0x5081A     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9957 bytes
332630      0x51356     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4544 bytes
334066      0x518F2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 378 bytes
334305      0x519E1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1019 bytes
334787      0x51BC3     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 12756 bytes
338395      0x529DB     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 16497 bytes
343482      0x53DBA     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11019 bytes
347416      0x54D18     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 39577 bytes
358366      0x577DE     JPEG image data, JFIF standard  1.02
358907      0x579FB     JPEG image data, JFIF standard  1.02
359442      0x57C12     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1787 bytes
361070      0x5826E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 893 bytes
361902      0x585AE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 637 bytes
362528      0x58820     JPEG image data, JFIF standard  1.02
363522      0x58C02     JPEG image data, JFIF standard  1.02
364963      0x591A3     JPEG image data, JFIF standard  1.01
376049      0x5BCF1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 683 bytes
376714      0x5BF8A     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 761 bytes
377462      0x5C276     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 225 bytes
377638      0x5C326     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4146 bytes
378953      0x5C849     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1487 bytes
379723      0x5CB4B     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2240 bytes
380729      0x5CF39     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1527 bytes
381510      0x5D246     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8294 bytes
384148      0x5DC94     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 10412 bytes
385299      0x5E113     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 16812 bytes
389806      0x5F2AE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9294 bytes
391417      0x5F8F9     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9108 bytes
392764      0x5FE3C     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4796 bytes
393633      0x601A1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3710 bytes
394440      0x604C8     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 7870 bytes
395948      0x60AAC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 10764 bytes
398896      0x61630     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6804 bytes
400960      0x61E40     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2135 bytes
401785      0x62179     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2864 bytes
402878      0x625BE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3747 bytes
404192      0x62AE0     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2776 bytes
405196      0x62ECC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6761 bytes
407148      0x6366C     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1582 bytes
407859      0x63933     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6849 bytes
409864      0x64108     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4678 bytes
411440      0x64730     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11297 bytes
414011      0x6513B     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3990 bytes
415534      0x6572E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 12540 bytes
418894      0x6644E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3623 bytes
420239      0x6698F     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 13366 bytes
423782      0x67766     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 5498 bytes
425717      0x67EF5     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1524 bytes
426450      0x681D2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 28728 bytes
434580      0x6A194     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 18125 bytes
439538      0x6B4F2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 36719 bytes
445116      0x6CABC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1940 bytes

检查 hexdump 代码我发现 binwalk 检测到 lzma 幻数 '5d 00' 但我认为这是不一致的和误报：

root@kali:~/Desktop/Firmwares/DLink# cat hexdump.txt | grep '5d 00'
00000030  5d 00 00 00 02 f0 23 0f  00 00 00 00 00 00 20 20  |].....#.......  |
0000c7b0  f9 5d 00 0e e6 e7 55 ca  16 5f d1 c9 67 67 30 c7  |.]....U.._..gg0.|
00049900  ac 00 5d 00 00 00 02 c9  1d 00 00 00 00 00 00 00  |..].............|
0004a2c0  6e 93 3d d1 e8 e3 96 5a  f9 17 38 b1 28 5d 00 00  |n.=....Z..8.(]..|
0004bb30  25 14 f9 96 26 85 58 20  18 07 b9 fa e3 5d 00 00  |%...&.X .....]..|
0004c360  9f f6 e9 d8 28 5d 00 00  00 02 19 19 00 00 00 00  |....(]..........|
0004cbe0  f6 20 5d 00 00 00 02 36  18 00 00 00 00 00 00 00  |. ]....6........|
0004d470  3f 38 df 6f 97 98 4b 41  0d 83 14 d8 4d 00 5d 00  |?8.o..KA....M.].|
0004e000  78 c4 bc c4 11 98 56 00  5d 00 00 00 02 c3 26 00  |x.....V.].....&.|
0004eb30  e6 73 64 e2 bc fa 37 7a  11 0d 3c b1 d2 af 5d 00  |.sd...7z..<...].|
0004f080  57 ad 80 5f 20 ef 40 0e  7c 5d 00 00 00 02 f5 04  |W.._ .@.|]......|
0004f280  1a 1c ab 00 5d 00 00 00  02 39 26 00 00 00 00 00  |....]....9&.....|
0004fd70  5d 00 00 00 02 f5 25 00  00 00 00 00 00 00 1e 12  |].....%.........|

在此之后，我浏览了 hexdump 并在 00000000 和 00042fa0 中找到了一些字符串：

00000000  41 49 48 30 4c 0f c1 fb  80 00 01 00 00 04 2f 74  |AIH0L........./t|
00042fa0  6e 23 00 00 41 49 48 30  4c 0f c1 fb 00 00 00 00  |n#..AIH0L.......|

谷歌搜索 AIH0L 我没有发现任何有用的东西，现在我被卡住了。

我尝试的其他事情是在十六进制转储中搜索 bin img sqsh sqsh sh 和其他字符串，但没有结果。

熵分析对我来说也很奇怪。熵输出 binwalk

有没有人遇到过这个问题或者可以弄清楚如何提取这个问题？问候。

编辑： 在 hexdump 文件中搜索文件系统 'fs' 我发现了一个 zfs 标头：

t@kali:~/Desktop/Firmwares/DLink# cat hexdump.txt | grep zfs

0000b990  65 a7 0c aa 7a 66 73 24  1e bc b6 e8 d7 c4 29 1a  |e...zfs$......).|

我不确定这是否指向真正的 zfs 或者这只是巧合。我把固件从那个位置复制到最后，但新文件无法识别，binwalk 讲座与上述相同。