拆解基于ARM的相机固件

逆向工程 固件 手臂 固件分析 垃圾桶
2021-06-28 22:40:34

我正在尝试反汇编海康威视固件 5.5.85。我想提取 digicap.dav 文件的内容。

Binwalk 无法提取已知的 zip 文件。

binwalk -e  digicap.dav 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

运行操作码签名显示其基于 ARM 的二进制文件。

└─# binwalk -A  digicap.dav

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
6380591       0x615C2F        ARM instructions, function prologue
6523606       0x638AD6        ARM instructions, function prologue
28103893      0x1ACD4D5       ARM instructions, function prologue

运行熵分析显示了这一点:

binwalk -E digicap.dav 

DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
0             0x0             Rising entropy edge (0.995974)
12599296      0xC04000        Rising entropy edge (0.981657)
18382848      0x1188000       Falling entropy edge (0.800915)
18415616      0x1190000       Rising entropy edge (0.954710)
18907136      0x1208000       Rising entropy edge (0.998649)
28229632      0x1AEC000       Rising entropy edge (0.987824)
28426240      0x1B1C000       Rising entropy edge (0.998774)
29179904      0x1BD4000       Rising entropy edge (0.996414)
29360128      0x1C00000       Falling entropy edge (0.722392)
29507584      0x1C24000       Falling entropy edge (0.653426)
29671424      0x1C4C000       Falling entropy edge (0.546793)
29835264      0x1C74000       Falling entropy edge (0.579946)
29949952      0x1C90000       Falling entropy edge (0.550830)
30048256      0x1CA8000       Falling entropy edge (0.570541)
30392320      0x1CFC000       Falling entropy edge (0.563434)
30474240      0x1D10000       Falling entropy edge (0.810232)
30638080      0x1D38000       Falling entropy edge (0.619405)
30703616      0x1D48000       Falling entropy edge (0.550830)
30932992      0x1D80000       Falling entropy edge (0.622278)
31080448      0x1DA4000       Falling entropy edge (0.551011)
31129600      0x1DB0000       Falling entropy edge (0.646414)
31227904      0x1DC8000       Falling entropy edge (0.579931)
31391744      0x1DF0000       Falling entropy edge (0.544139)
31440896      0x1DFC000       Rising entropy edge (0.959527)
31473664      0x1E04000       Rising entropy edge (0.989212)
32014336      0x1E88000       Rising entropy edge (0.998716)
33226752      0x1FB0000       Falling entropy edge (0.795215)
33259520      0x1FB8000       Rising entropy edge (0.959458)

此时,我猜这是一个加密的二进制文件。我是逆向工程的新手,所以我不太确定如何从这个二进制文件中提取内容。

1个回答

解析逻辑似乎隐藏在U-Boot 加载程序中

tftpboot- boot image via network using TFTP protocol
update  - update digicap.dav
updateb - update uboot(u-boot.bin) to nor
updatebl- update ubl(ubl_646x.bin) to nand
updatefs- update filesystem(davinci.img) to nand
updatek - update kernel(uImage) to nand
updates - serial update kernel or filesys

尝试在http://opensource.hikvision.com/上为您的设备查找 U-Boot 源代码,希望它包含此命令的代码,以便您了解它的布局。

其它你可能感兴趣的问题
上一篇有哪些 8051 指令扩展? 下一篇如何替换在 Windows 窗体中定义的位图和图片?(Win32 Delphi x86)