逆向工程 - 逆向工程TP-Link TD-W8961N - 吾爱随笔录

在遵循此处的教程之后，我决定尝试对路由器的固件进行逆向工程。我的路由器是TP-Link TD-W8961N，固件版本是V2。

我一直试图弄清楚这一点，但没有运气。固件不包含任何明显的文件系统、引导加载程序或可以提取的内核。

从binwalk的分析来看，路由器似乎运行的是MIPS架构上的ThreadX。

执行binwalk -eM TDW8961N，我明白了

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
63643         0xF89B          ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
63892         0xF994          ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
85043         0x14C33         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 66696 bytes
118036        0x1CD14         Unix path: /usr/share/tabset/vt100:\
118804        0x1D014         ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
118824        0x1D028         ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 16
128002        0x1F402         GIF image data, version "89a", 200 x 50
136194        0x21402         GIF image data, version "89a", 560 x 50
253333        0x3DD95         Neighborly text, "neighbor of your ADSL Router that will forward the packet to the destination. On the LAN, the gateway </font>e destination. On the LAN, the gateway </font>"
349586        0x55592         Copyright string: "Copyright (c) 2001 - 2015 TP-LINK TECHNOLOGIES CO., LTD."
386471        0x5E5A7         Copyright string: "Copyright &copy; 2015 TP-LINK Technologies Co., Ltd. All rights reserved."
386489        0x5E5B9         TP-Link firmware header, firmware version: 17256.26992.22113, image version: " Co., Ltd. All rights reserved.", product ID: 0x6E42746E, product version: 1131375727, kernel load address: 0x72002223, kernel entry point: 0x46463939, kernel offset: 4475203, kernel length: 1347765096, rootfs offset: 1768969317, rootfs length: 2020868163, bootloader offset: 1347747908, bootloader length: 1229148245
806847        0xC4FBF         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2853276 bytes


Scan Time:     2016-10-07 22:29:27
Target File:   /home/aaron/Desktop/tools/firmware/TD-W8961N/_TD-W8961N-0.extracted/14C33
MD5 Checksum:  feac8e40efcca119826f811501b36502
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------


Scan Time:     2016-10-07 22:29:27
Target File:   /home/aaron/Desktop/tools/firmware/TD-W8961N/_TD-W8961N-0.extracted/C4FBF
MD5 Checksum:  78c0c10cba8fba3ce1c194461ac40fa4
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2141288       0x20AC68        Neighborly text, "neighbor loss) fail"
2144380       0x20B87C        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 8313
2157896       0x20ED48        Neighborly text, "neighbordown: can't shutdown OSPF task completely"
2168474       0x21169A        ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 769, uncompressed size: 259, data offset from start of block: 28805
2249704       0x2253E8        HTML document footer
2250021       0x225525        HTML document header
2253724       0x22639C        XML document, version: "1.0"
2320029       0x23669D        Base64 standard index table
2332534       0x239776        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2332646       0x2397E6        Copyright string: "Copyright (c) 1994 - 2004 ZyXEL Communications Corp."
2332699       0x23981B        Copyright string: "Copyright (c) 2001 - 2006 TrendChip Technologies Corp."
2332754       0x239852        Copyright string: "Copyright (c) 2001 - 2006 "
2333095       0x2399A7        ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
2344978       0x23C812        eCos RTOS string reference: "ecost"
2393676       0x24864C        SHA256 hash constants, big endian
2395752       0x248E68        Base64 standard index table
2436753       0x252E91        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 135
2454640       0x257470        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2495500       0x26140C        Base64 standard index table
2537620       0x26B894        XML document, version: "1.0"
2544124       0x26D1FC        XML document, version: "1.0"
2545312       0x26D6A0        XML document, version: "1.0"
2546280       0x26DA68        XML document, version: "1.0"
2551100       0x26ED3C        XML document, version: "1.0"
2555276       0x26FD8C        XML document, version: "1.0"
2558548       0x270A54        XML document, version: "1.0"
2563936       0x271F60        XML document, version: "1.0"
2569916       0x2736BC        XML document, version: "1.0"
2572052       0x273F14        XML document, version: "1.0"
2579160       0x275AD8        XML document, version: "1.0"
2595692       0x279B6C        XML document, version: "1.0"
2605172       0x27C074        XML document, version: "1.0"
2613932       0x27E2AC        XML document, version: "1.0"
2615368       0x27E848        XML document, version: "1.0"
2627752       0x2818A8        XML document, version: "1.0"
2648491       0x2869AB        Copyright string: "copyright"
2658067       0x288F13        Copyright string: "copyright" >"
2759380       0x2A1AD4        CRC32 polynomial table, big endian
2827145       0x2B2389        Unix path: /wifi_uni_mac/ROM/nic/hal/MT7603/hal_rom.c
2827593       0x2B2549        Unix path: /wifi_uni_mac/ROM/nic/hal/MT7603/hal_pwr_mgt_rom.c
2828329       0x2B2829        Unix path: /wifi_uni_mac/mgmt/mt7603/rlm_phy.c
2828385       0x2B2861        Unix path: /wifi_uni_mac/mgmt/mt7603/rlm_sensor.c
2852324       0x2B85E4        Copyright string: "Copyright (c) 1996-2010 Express Logic Inc. * ThreadX MIPS32_34Kx/Green Hills Version G5.4.5.0 SN: 3182-197-0401 *"

这会创建两个文件14C33，当运行 binwalk 时，它们不会给出任何结果，并且C4FBF会给出与binwalk TDW8961N. 它还创建了许多类似的 xml 文件。

我在十六进制编辑器中打开文件 14C33 和 C4FBF，注意到前两个字节是3C 08. file在这两个文件上运行返回

14C33: data
C4FBF: data

我在谷歌上搜索了这两个字节并来到这个页面，我发现 zlib 流可以以开头08 3C，尽管并不常见。读完后，我更改了前两个字节，以便它们读取08 3C并file 14C33返回

14C33: zlib compressed data

我对文件做了同样的事情，C4FBF当我尝试解压缩它时，它失败了。使用 gzip，我得到unknown suffix -- ignored. 我也试过 uncompress 和 pigz，但他们给出了类似的错误。

有什么问题吗zlib compressed data，file给出误报还是有自定义压缩算法？另外，我不明白为什么同时提到 eCos 和 ThreadX OS。而对于引导加载程序和内核偏移量，是引导加载程序和内核加载到内存时的偏移量吗？

固件可在 tp-link.com/en/download/TD-W8961N_V2.html#Firmware 下载