逆向工程 - 解压亿5102固件 - 吾爱随笔录

解压亿5102固件

逆向工程固件开箱米普

2021-06-19 08:29:18

我正在尝试解压此固件映像，但在理解结构方面遇到了一些问题。

首先，我有一个名为firmware.bin 的图像，文件命令显示它是一个LIF 文件：

firmware.bin: lif file

之后我用 binwalk 进行分析：

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------
84992       0x14C00     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 65616, compressed size: 16606, uncompressed checksum: 0xBA2A, compressed checksum: 0x913E, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
85043       0x14C33     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65616 bytes
128002      0x1F402     GIF image data, version 8"9a", 200 x 50
136194      0x21402     GIF image data, version 8"7a", 153 x 55
349184      0x55400     ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3113824, compressed size: 733298, uncompressed checksum: 0x3B9C, compressed checksum: 0xBBBA, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
349235      0x55433     LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3113824 bytes

如您所见，有 2 个 LZMA、2 个 ZynOS（LZMA 也曾被剪切过）和 2 个图像。解压缩 LZMA 后，我将其解压缩，第一个是单个二进制文件，但第二个是另一个 LZMA 文件，其中包含 127 个文件，每个文件中都有很多新文件。

文件内容示例

我想我没有按照正确的步骤解压它，所以我想知道我怎样才能清理主文件系统？

1个回答

您可能已经猜到，文件实用程序的输出是误报。firmware.bin 文件的开头包含看起来是基本头的内容（注意文件开头附近的“SIG”字符串）和一堆 MIPS 可执行代码，这可能是引导加载程序：

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
196             0xC4            MIPS instructions, function epilogue
284             0x11C           MIPS instructions, function epilogue
372             0x174           MIPS instructions, function epilogue
388             0x184           MIPS instructions, function epilogue
416             0x1A0           MIPS instructions, function epilogue
424             0x1A8           MIPS instructions, function prologue
592             0x250           MIPS instructions, function epilogue
712             0x2C8           MIPS instructions, function epilogue
720             0x2D0           MIPS instructions, function prologue
832             0x340           MIPS instructions, function epilogue
840             0x348           MIPS instructions, function prologue
912             0x390           MIPS instructions, function epilogue
920             0x398           MIPS instructions, function prologue
976             0x3D0           MIPS instructions, function epilogue
984             0x3D8           MIPS instructions, function epilogue
1084            0x43C           MIPS instructions, function epilogue
1192            0x4A8           MIPS instructions, function epilogue
1264            0x4F0           MIPS instructions, function epilogue
...

在firmware.bin 二进制文件上运行字符串似乎支持了这个假设，其中有很多关于校验和和解压缩错误的参考：

checksum error! (cal=%04X, should=%04X)
     signature error!
     (Compressed)
start: %p
     unmatched objtype between memMapTab and image!
     Length: %X, Checksum: %04X
     Version: %s, 
     Compressed Length: %X, Checksum: %04X
memMapTab Checksum Error! (cal=%04X, should=%04X)
memMapTab Checksum Error!
%3d: %s(%s), start=%p, len=%X
%s Section:
memMapTab: %d entries, start = %p, checksum = %04X
$USER Section:
signature error!
ROMIO image start at %p
code length: %X
code version: %s
code start: %p
Decompressed image Error!
Decompressed image Checksum Error! (cal=%04X, should=%04X)
ROM length(%X) > RAM length (%X)!
Can't find %s in $ROM section.
Can't find %s in $RAM section.
RasCode

快速检查您发现的两个解压缩 LZMA 文件中的字符串，显示较小的一个（偏移量 0x14C33）似乎包含一些调试接口代码，可能旨在通过设备的 UART 访问：

                        UART INTERNAL  LOOPBACK TEST
                        UART EXTERNAL  LOOPBACK TEST
ERROR
======= HTP Command Listing =======
< press any key to continue >
 macPHYCtrl.value=
                        MAC INTERNAL LOOPBACK TEST 
                        MAC EXTERNAL LOOPBACK TEST 
                        MAC INTERNAL LOOPBACK 
                        MAC EXTERNAL LOOPBACK 
 LanIntLoopBack ...
Tx Path Full, Drop packet:%d
0x%08x
tx descrip %d:
rx descrip %d:
%02X 
%08X: 
< Press any key to Continue, ESC to Quit >
0123456789abcdefghijklmnopqrstuvwxyz
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
<NULL>
) Register Dump *****
***** ATM SAR Module: VC(
Reset&Identify reg   = 
Traffic Sched. TB reg= 
TX Data ctrl/stat reg= 
RX Data ctrl/stat reg= 
Last IRQ Status reg  = 
IRQ Queue Entry len  = 
VC IRQ Mask register = 
TX Data Current descr= 
RX Data Current descr= 
TX Traffic PCR       = 
TX Traffic MBS/Type  = 
TX Total Data Count  = 
VC IRQ CC Mask reg   = 
TX CC Current descr  = 
TX CC Total Count    = 
RX Miss Cell Count   = 
***** ATM SAR Module: Common Register Dump *****

第二个较大的文件（偏移量为 0x55433）似乎包含 Green Hills 的 ThreadX RTOS：

RTA231CV Reserved String
anonymous
www.huawei.com
1000
tc-e4f6ed2f5b87<
MSFT 5.07
user<
MSFT 5.07
LXT972
"AC101L
CIP101
RTL8201
CAC201
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
System Timer Thread
Copyright (c) 1996-2000 Express Logic Inc. * ThreadX R3900/Green Hills Version G3.0f.3.0b *

如果您不熟悉 RTOS，它们通常只是一个大内核，没有用户空间与内核空间的概念或您认为是普通文件系统的概念，尽管它们将包含此设备的图像和 HTML 文件等内容Web 界面（有关如何在某些 VxWorks 系统中存储/访问这些类型的文件的示例，请参见此处）。

我想说的是，您几乎已经将这个固件提取到了它的基本部分。要进一步分析引导加载程序或提取的两个 LZMA 文件，您需要开始反汇编这些文件，这需要确定引导时加载它们的内存地址、识别代码/数据部分、查找可能的符号表、识别常见功能，并且可能会编写一些脚本来帮助解决上述所有问题。

其它你可能感兴趣的问题

上一篇如何附加调试器或开始分析调试本身的进程？下一篇如何查看指令流水线？