逆向工程 - Technicolor TG799vac 调制解调器/路由器倾倒 Nand Flash - 吾爱随笔录

Technicolor TG799vac 调制解调器/路由器倾倒 Nand Flash

逆向工程 linux 固件嵌入式

2021-07-04 13:49:34

好的，所以我一直在尝试转储 Technicolor TG799vac 的内容。

到目前为止，我已经移除了闪存芯片并使用 DumpFlash.py 实用程序读取了芯片并使用 binwalk 来定位 Squashfs 文件系统

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
39436         0x9A0C          SHA256 hash constants, big endian
31764480      0x1E4B000       JFFS2 filesystem, big endian
32013764      0x1E87DC4       JFFS2 filesystem, big endian
32242272      0x1EBFA60       JFFS2 filesystem, big endian
36765696      0x2310000       Squashfs filesystem, little endian, version 4.0, compression:xz, size: 14928222 bytes, 3253 inodes, blocksize: 262144 bytes, created: 2016-06-28 03:08:22
51709334      0x3150596       xz compressed data
51855814      0x31741C6       xz compressed data
51922474      0x318462A       xz compressed data
52004354      0x3198602       xz compressed data
52046150      0x31A2946       xz compressed data
52047662      0x31A2F2E       xz compressed data
52091472      0x31ADA50       xz compressed data
52093306      0x31AE17A       xz compressed data
52095388      0x31AE99C       xz compressed data
52097286      0x31AF106       xz compressed data
52099504      0x31AF9B0       xz compressed data
52101750      0x31B0276       xz compressed data
52103748      0x31B0A44       xz compressed data
52106574      0x31B154E       xz compressed data
52108628      0x31B1D54       xz compressed data
52110506      0x31B24AA       xz compressed data
52112416      0x31B2C20       xz compressed data
52114650      0x31B34DA       xz compressed data
52116652      0x31B3CAC       xz compressed data
52118514      0x31B43F2       xz compressed data
52118772      0x31B44F4       xz compressed data
52122718      0x31B545E       xz compressed data
52126772      0x31B6434       xz compressed data
52131218      0x31B7592       xz compressed data
52135620      0x31B86C4       xz compressed data
52138550      0x31B9236       xz compressed data
52141480      0x31B9DA8       xz compressed data
52144930      0x31BAB22       xz compressed data
52148772      0x31BBA24       xz compressed data
52152506      0x31BC8BA       xz compressed data
52153220      0x31BCB84       xz compressed data
52153882      0x31BCE1A       xz compressed data
52155856      0x31BD5D0       xz compressed data
52157758      0x31BDD3E       xz compressed data
52159824      0x31BE550       xz compressed data
137234956     0x82E0A0C       SHA256 hash constants, big endian

我用来dd提取图像：

$ dd  if=Modem.img bs=1 skip=36765696 count=14928222 of=Modem.squashfs
14928222+0 records in
14928222+0 records out
14928222 bytes (15 MB) copied, 22.0777 s, 676 kB/s

我试图unsuqashfs图像：

$ unsquashfs -s Modem.squashfs
Found a valid SQUASHFS 4:0 superblock on Modem.squashfs.
Creation or last append time Tue Jun 28 13:08:22 2016
Filesystem size 14578.34 Kbytes (14.2 Mbytes)
Compression xz
xz: error reading stored compressor options from filesystem! 
Block size 262144 
Filesystem is exportable via NFS                                                                           Inodes are compressed
Data is compressed                                                                    Fragments are compressed                                                                  Always-use-fragments option is not specified                                                                     Xattrs are not stored                                                                        Duplicates are Removed                                                                       Number of fragments 85                                                                            Number of inodes 3253                                                                         Number of ids 1

$ unsquashfs -d squash-root1  Modem.squashfs
Parallel unsquashfs: Using 4 processors
Lseek failed because Invalid argument
read_block: failed to read block @0x71eed2525ee8f30e
read_uids_guids: failed to read id table block
FATAL ERROR:failed to uid/gid table

但是，它失败了。所以，我试图用以下方法提取firmware-mod-kit：

$ ./unsquashfs_all.sh ~/projects/Telstra/DumpFlash/Modem.squashfs ~/projects/Telstra/DumpFlash/Squashfs/

Attempting to extract SquashFS .X file system...

Trying ./src/squashfs-2.1-r2/unsquashfs-lzma... 
Trying ./src/squashfs-2.1-r2/unsquashfs... 
Trying ./src/squashfs-3.0/unsquashfs-lzma... 
Trying ./src/squashfs-3.0/unsquashfs... 
Trying ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma... 
Trying ./src/others/squashfs-2.0-nb4/unsquashfs... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs-lzma... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-hg612-lzma/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-wnr1000/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-rtn12/unsquashfs... 
Trying ./src/others/squashfs-3.3/unsquashfs... 
Trying ./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.3-grml-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.4-cisco/unsquashfs... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs-lzma... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs... 
Trying ./src/others/squashfs-4.2-official/unsquashfs... Parallel unsquashfs: Using 4 processors
Trying ./src/others/squashfs-4.2/unsquashfs... Parallel unsquashfs: Using 4 processors
Trying ./src/others/squashfs-4.0-lzma/unsquashfs-lzma... Parallel unsquashfs: Using 4 processors
Trying ./src/others/squashfs-4.0-realtek/unsquashfs... Skipping others/squashfs-hg55x-bin (wrong version)...
File extraction failed!

我也试过sasquatch：

$ sasquatch  -trace Modem.squashfs 
squashfs: read_bytes: reading from position 0x0, bytes 32
SquashFS version [4.0] / inode count [3253] suggests a SquashFS image of the same endianess
squashfs: read_bytes: reading from position 0x0, bytes 96
squashfs: read_bytes: reading from position 0x60, bytes 2
squashfs: read_block: block @0x60, 12 uncompressed bytes
squashfs: read_bytes: reading from position 0x62, bytes 12
Parallel unsquashfs: Using 1 processor
squashfs: read_uids_guids: no_ids 1
squashfs: read_bytes: reading from position 0xe3c956, bytes 8
squashfs: read_bytes: reading from position 0x71eed2525ee8f30e, bytes 2
Lseek failed because Invalid argument
read_block: failed to read block @0x71eed2525ee8f30e
read_uids_guids: failed to read id table block
FATAL ERROR:failed to uid/gid table

但是还是没有快乐。:-(

任何人都可以提供任何建议或指出任何错误，因为我是这一切的新手并且仍然学习任何提示或指示将是一个很大的帮助。

2个回答

好的，我设法让它提取....是的

事实证明，当我进行 NAND 转储时，我也转储了 NAND 的 OOB 部分。
所以我不得不通过让-米歇尔·皮科德的Nand-dump-tool.py程序运行它来分离出 OOB 区域。

$ python Nand-dump-tool.py  -i ModemRaw.img -o Split_seperate.img -I
01f1801d  --layout separate

[*] Using given ID code ID code  : 01f1801d
Manufacturer                     : AMD / Spansion
Device                           : NAND 128MiB 3,3V 8-bit
Die/Package                      : 1
Cell type                        : 2 Level Cell
Simultaneously programmed paged  : 1
Interleave between multiple chips: False
Write cache                      : True
Page size                        : 2048 bytes (2 K)
Spare area size                  : 16 bytes / 512 byte
Block size                       : 131072 bytes (128 K)
Organization                     : X16
Serial access time               : 29 ns
OOB size                         : 64 bytes

[*] Start dumping...
[*] Finished

Total: 138412032 bytes (132.00 MB)
Data : 134217728 bytes (128.00 MB)
OOB  : 4194304 bytes (4.00 MB)
Clear: 86.69% of the flash is empty (56813 pages out of 65536)

完成后再次通过 binwalk 运行它给了我一个更合理的输出和一个提取的文件系统......

我建议您尝试找出为什么unsquashing 会失败。正如您在sasquatch自述文件中所读到的：

The sasquatch project is a set of patches to the standard unsquashfs utility (part of squashfs-tools) that attempts to add support for as many hacked-up vendor-specific SquashFS implementations as possible.

所以你可能刚刚发现了一个不受支持的实现。尝试查找，为什么sasquatchLseek 失败。阅读 squashfs 设计论文。也许结构被调整了，你只需要改变某个指针的偏移量。

这就是逆向工程的意义所在。挖掘代码。不要盲目使用别人的工具:)

其它你可能感兴趣的问题

上一篇IDA python，获取特定dll的地址范围下一篇修改PPID避免反调试措施