使用固件修改工具包获取空文件

逆向工程 固件 开箱 嵌入式
2021-06-19 00:21:44

我在提取 ZTE zxv10 h201 路由器的文件系统时遇到问题。我是逆向工程的初学者,所以我可能做错了什么。这是我迄今为止所做的。我获得了 Web 界面的管理员用户名和密码并启用了 telnet。我使用 telnet 连接到路由器

BusyBox v1.01 (2012.01.29-08:14+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat proc/mtd 
dev:    size   erasesize  name
mtd0: 00800000 00010000 "whole_flash"
mtd1: 00020000 00010000 "bootloader"
mtd2: 00040000 00010000 "userconfig"
mtd3: 00150000 00010000 "kernel"  
mtd4: 00650000 00010000 "filesystem"
# 
# help

Built-in commands:
-------------------
    . : break cd chdir continue eval exec exit export false hash
    help local pwd read readonly return set shift times trap true
    type ulimit umask unset wait [ ash brctl busybox cat cp date
    df echo free fuser getty hostname ifconfig init insmod kill killall
    linuxrc ln login ls lsmod mkdir mknod mount mv passwd ping ps
    pwd reboot rm rmdir rmmod setmac sh test tftp top traceroute
    umount wget

#

然后我用

# cat /dev/mtdblock4 > /mnt/usb1_1/filesystem
# cat /dev/mtdblock0 > /mnt/usb1_1/whole_flash

将二进制文件传输到插入路由器的 USB。这就是我用 binwalk Whole_flash 得到的

    DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1288          0x508           CFE boot loader
7204          0x1C24          LZMA compressed data, properties: 0x5D, dictionary size: 4194304 bytes, missing uncompressed size
131708        0x2027C         Zlib compressed data, compressed
148092        0x2427C         Zlib compressed data, compressed
184956        0x2D27C         PEM RSA private key
185919        0x2D63F         PEM certificate
197244        0x3027C         Zlib compressed data, compressed
262780        0x4027C         Zlib compressed data, compressed
328316        0x5027C         Zlib compressed data, compressed
328640        0x503C0         Zlib compressed data, compressed
328844        0x5048C         Zlib compressed data, compressed
             .....
346480        0x54970         Zlib compressed data, compressed
346956        0x54B4C         Zlib compressed data, compressed
347388        0x54CFC         Zlib compressed data, compressed
347820        0x54EAC         Zlib compressed data, compressed
348252        0x5505C         Zlib compressed data, compressed
348684        0x5520C         Zlib compressed data, compressed
393484        0x6010C         LZMA compressed data, properties: 0x5D, dictionary size: 4194304 bytes, missing uncompressed size
1769472       0x1B0000        Squashfs filesystem, big endian, version 2.0, size: 5866724 bytes, 638 inodes, blocksize: 65536 bytes, created: Sun Jan 29 09:31:45 2012

我的文件系统二进制文件有问题,因为固件修改工具包中的 unsquashfs 版本对我来说没有“正常工作”,因为我得到的只是价值 307,0 kB 的文件。

2个回答

我有同样的设备,你可以试试我为那个设备编译的这个busybox,只需输入./busybox_unstripped dd即可使用dd

./busybox_unstripped 
BusyBox v1.13.4 (2017-03-09 17:30:22 CET) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        ash, bunzip2, bzcat, cat, cp, cut, date, dd, echo, expr, false, free,
        grep, halt, head, hostname, ifconfig, init, ip, kill, killall, klogd,
        ln, ls, mkdir, mount, ping, poweroff, ps, reboot, renice, rm, route,
        sh, sleep, syslogd, tail, true, umount, wc

我还在互联网上找到了该设备的固件,您可以在此处下载

你不应该使用“猫”。“cat”是考虑可打印的字符,很可能是你的问题。在“cat”之后可能会出现一些问题,导致文件系统识别出现问题。

使用“dd”进行可靠的逐字节复制。

其它你可能感兴趣的问题
上一篇理解 AutoIT“编译” 下一篇是否可以使应用程序跳过呼叫?