我遵循了在以下位置找到的教程:http : //www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
我已经将 uboot 映像加载到 IDA 中,但我不确定如何确定加载地址。我已经通过 start.S 了解了事物如何工作的一般概念,但是在查看图像时无法应用它。
我找到了另一个描述如何确定加载地址的教程(https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/)但找不到uboot 镜像中 .bss 初始化循环对应的内存地址。
任何帮助将不胜感激!如果您有关于确定加载地址的任何提示,那也太棒了。
谢谢
下载链接: WAG120N 下载
固件二进制:
$ md5sum WAG120N-EU-ANNEXB-ETSI-1.00.19-code.bin
52d6fa830e31ff96289f8aa41ac713af WAG120N-EU-ANNEXB-ETSI-1.00.19-code.bin
版本:附件 B - 版本:1.00.19 (ETSI) 最新日期:11/17/2014
签名扫描输出:
$ binwalk WAG120N-EU-ANNEXB-ETSI-1.00.19-code.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
9660 0x25BC U-Boot version string, "U-Boot 1.1.5-2.0 (Jul 22 2009 - 14:05:28)"
9708 0x25EC CRC32 polynomial table, big endian
11012 0x2B04 uImage header, header size: 64 bytes, header CRC: 0xF5170888, created: 2009-07-22 06:05:29, image size: 47540 bytes, Data Address: 0x80400000, Entry Point: 0x80400000, data CRC: 0x84EF8694, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
11076 0x2B44 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 147212 bytes
65434 0xFF9A Sercomm firmware signature, version control: 1, download control: 256, hardware ID: "YQZ", hardware version: 0x0, firmware version: 0x9, starting code segment: 0x100, code size: 0x7300
65497 0xFFD9 Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "", hardware version: 0x0, firmware version: 0x2700, starting code segment: 0x1A9C, code size: 0x3D0
72028 0x1195C Sercomm firmware signature, version control: 29184, download control: 24933, hardware ID: "d ok..!!", hardware version: 0x7266, firmware version: 0x2578, starting code segment: 0xA78, code size: 0x0
196608 0x30000 uImage header, header size: 64 bytes, header CRC: 0xED45C533, created: 2014-11-04 09:41:33, image size: 577083 bytes, Data Address: 0x80002000, Entry Point: 0x801B2040, data CRC: 0x5AFA7402, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Linux-2.4.31-Amazon_SE-3.6.]"
196672 0x30040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 1986560 bytes
851968 0xD0000 Squashfs filesystem, big endian, lzma compression, version 2.1, size: 2991870 bytes, 748 inodes, blocksize: 65536 bytes, created: 2014-11-04 09:42:21
根据签名扫描,u-boot镜像为,image type: Firmware Image数据地址和入口点为0x80400000。
应该如何解释这些信息?让我们从U-Boot 图像格式的描述开始 :
在第 230 行:
* "Firmware Images" are binary images containing firmware (like
* U-Boot or FPGA images) which usually will be programmed to
* flash memory.
图片标题:
/*
* Legacy format image header,
* all data in network byte order (aka natural aka bigendian).
*/
typedef struct image_header {
__be32 ih_magic; /* Image Header Magic Number */
__be32 ih_hcrc; /* Image Header CRC Checksum */
__be32 ih_time; /* Image Creation Timestamp */
__be32 ih_size; /* Image Data Size */
__be32 ih_load; /* Data Load Address */
__be32 ih_ep; /* Entry Point Address */
__be32 ih_dcrc; /* Image Data CRC Checksum */
uint8_t ih_os; /* Operating System */
uint8_t ih_arch; /* CPU architecture */
uint8_t ih_type; /* Image Type */
uint8_t ih_comp; /* Compression Type */
uint8_t ih_name[IH_NMLEN]; /* Image Name */
} image_header_t;
图片信息:
typedef struct image_info {
ulong start, end; /* start/end of blob */
ulong image_start, image_len; /* start of image within blob, len of image */
ulong load; /* load addr for the image */
uint8_t comp, type, os; /* compression, type of image, os type */
uint8_t arch; /* CPU architecture */
} image_info_t;
有关加载地址的信息存储在 uImage 标头中,这是binwalk. 在这种情况下是0x8040000。
也可以看看: