GoPro 固件上奇怪的 binwalk 输出

逆向工程 固件 嵌入式 十六进制
2021-06-21 10:08:16

我正在尝试提取 GoPro hero 3+ 相机固件,但从binwalk.

这是binwalk输出(上传到 pastebin):

http://pastebin.com/raw.php?i=yVZFGZT6

如您所见,有很多行,包括 mcrypt、RSA 和其他行,但固件未加密。同时检查文件的十六进制我可以看到以下内容:

000006f0  55 55 55 55 66 66 66 66  77 77 77 77 88 88 88 88  |UUUUffffwwww....|

据我所知,这与 UBoot 有关。另外两行显示了一些 squashfs 标题:

0151d040  45 3d cd 28 88 4f 39 80  68 73 71 73 bc 4f 39 80  |E=.(.O9.hsqs.O9.|
02557250  8a f3 0d 00 68 73 71 73  90 f3 0d 00 72 65 65 62  |....hsqs....reeb|

此外,我可以看到一些与 CPIO 相关的其他行,但我无法弄清楚如何将此文件分成可提取的部分。

固件镜像可以在这里下载:http : //software.gopro.com/Firmware/HD2/HD2-firmware.bin

2个回答

Strings 表明这是使用 UbiFS 文件系统:

$ strings HD2-firmware.bin | grep -i ubifs
console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs
LNX_VIF="../../../src/linuxinfo/ubifs.info"
CONFIG_BOSS_SECONDARY_CMDLINE="console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs"
console=tty0  lpj=2334720 ubi.mtd=lnx root=ubi0:linux rootfstype=ubifs

我只有两个地方可以看到 UbiFS 超级魔术字节(0x24051905,请参阅http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/fs/ubifs/ubifs.h) :

$ binwalk -m ubifs.sig HD2-firmware.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
23734456      0x16A28B8       UbiFS, little endian
23741868      0x16A45AC       UbiFS, little endian

作为参考,ubifs.sig 的内容是:

0   lelong  0x24051905      UbiFS, little endian
0   belong  0x24051905      UbiFS, big endian

编辑:

以上似乎是误报。在创建了我自己的 UbiFS 镜像后,这是它的十六进制外观:

00000000  31 18 10 06 dc 6a 3b 2d  4e 00 00 00 00 00 00 00  |1....j;-N.......|
00000010  00 10 00 00 06 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 02 00 00 00 00 02 00  0d 00 00 00 64 00 00 00  |............d...|
00000030  00 00 16 00 00 00 00 00  04 00 00 00 02 00 00 00  |................|
00000040  01 00 00 00 01 00 00 00  08 00 00 00 00 01 00 00  |................|
00000050  04 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 ca 9a 3b fb 7e 13 36  |...........;.~.6|
00000070  91 29 47 3b 8b dd 46 95  27 cc 8a 30 00 00 00 00  |.)G;..F.'..0....|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00020000  31 18 10 06 4a 3d 6b 5a  4f 00 00 00 00 00 00 00  |1...J=kZO.......|
00020010  00 02 00 00 07 00 00 00  45 00 00 00 00 00 00 00  |........E.......|
00020020  00 00 00 00 00 00 00 00  02 00 00 00 03 00 00 00  |................|
00020030  0c 00 00 00 d8 05 00 00  bc 00 00 00 0b 00 00 00  |................|
00020040  0c 00 00 00 00 08 00 00  98 06 00 00 00 00 00 00  |................|
00020050  00 26 05 00 00 00 00 00  38 03 00 00 00 00 00 00  |.&......8.......|
00020060  30 d0 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
00020070  00 24 00 00 00 00 00 00  07 00 00 00 2a 00 00 00  |.$..........*...|
00020080  07 00 00 00 00 02 00 00  07 00 00 00 36 00 00 00  |............6...|
00020090  00 00 00 00 00 00 00 00  0a 00 00 00 01 00 00 00  |................|
000200a0  01 00 00 00 0d 00 00 00  00 00 00 00 00 00 00 00  |................|
000200b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00020200  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

请注意每个节点开头的小端幻数:0x06101831.

这个模式出现在GoPro固件中,看起来UbiFS镜像可能从0x22C6100但是,我无法挂载我的 UbiFS 映像(使用mkfs.ubifs)或来自 GoPro 固件的映像,因此我无法验证这是真的。

binwalk 总会有误报,尤其是对于 lzma 之类的。您可以做的是使用该-M选项尝试对多个层进行深度合并,并使用该-r选项删除解压不佳的文件。

其它你可能感兴趣的问题
上一篇达到 OEP 的指标是什么? 下一篇链接为 RELRO 时的 ELF link_map