我通过嗅探它正在建立的传出连接找到了 Slingbox 500 的固件。但是,很难做出正面或反面。我真的很想看到文件系统,因为它正在运行 dropbear ssh 服务器!
以下文件来自http://mdconfig.sling.com/config/v2/type/ngsb/product/intrepidCbfu/version/01.10.095.json --
{
"payload":
"{"config":
{
"updateVersion":"01.10.102",
"rebootTimeMsec":68000,
"firmwareComponents":
{
"appfsRecovery":
{
"critical":false,
"crc":123,
"order":1,
"reboot":false,
"url":"www.navjit.com",
"size":123,
"version":"0.5.102"
},
"uImageMain":
{
"critical":false,
"crc":1863698014,
"order":2,
"reboot":false,
"url":"http://cbfu-prod.slingbox.com/Intrepid/Intrepid_FW_01_10_102/s_fw4_uImage_mips_gz_118.bin",
"size":5463888,
"version":"1.9.118"
},
"FW3":
{
"critical":false,
"crc":2050778634,
"order":3,
"reboot":false,
"url":"http://cbfu-prod.slingbox.com/Intrepid/Intrepid_FW_01_10_102/intrepid_fw3_f_p_1_5_432.bin",
"size":262144,
"version":"1.5.432"
},
"FW2":
{
"critical":false,
"crc":2050778634,
"order":4,
"reboot":false,
"url":"www.navjit.com",
"size":123,
"version":"0.5.472"
},
"FW1":
{
"critical":false,
"crc":123,
"order":5,
"reboot":false,
"url":"www.navjit.com",
"size":123,
"version":"0.5.472"
},
"uImageRecovery":
{
"critical":false,
"crc":123,
"order":0,
"reboot":false,
"url":"www.navjit.com",
"size":123,
"version":"1.5.002"
}
},
"applications":
{
"sbCore":
{
"urlMeta":"http://cbfu-prod.slingbox.com/Intrepid/Intrepid_FW_01_10_102/FW5_SIG_01_10_102.tar",
"critical":false,
"sizeMeta":10240,
"reboot":true,
"type":"file_system",
"url":"http://cbfu-prod.slingbox.com/Intrepid/Intrepid_FW_01_10_102/intrepid_fw5_full_01.10.102_nand.ubi.gz.aes",
"version":"01.10.102",
"size":99865328
}
}
}
}",
"header":
{
"signatureEncoding":"base64",
"msgType":"plain",
"signature":" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAADGCAg8wggILAgEBMHkwdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAoTC1NsaW5nIE1lZGlhMRMwEQYDVQQDEwpNRCBET1dOIENBMSUwIwYJKoZIhvcNAQkBFhZtZGFkbWluQHNsaW5nbWVkaWEuY29tAgEDMA0GCWCGSAFlAwQCAQUAoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYwNDI3MDYxNzIyWjAvBgkqhkiG9w0BCQQxIgQgdMg3fnkpkxTXkZzmAgvCH613L0YpH70/9yGDYSN0D7YwDQYJKoZIhvcNAQEBBQAEggEApKOkHp4k8EgaMxPIxelQX2E2iKP91HgUnx4lkYkffirQU5ObvIFWd4DAyEmb6QO8X3BVA/tWnDDaIwunUy/2WVjgcwyTiSLr20tPlEPDJcACEQERx2xzAss3Y+voeXmwBrmDWFXn5ILNUN86GsL3mUyfySR6ZPly4Wu2Krb55e58FIu9WqS6ynCD1Qdt4djQ6VgeG+2+CBmUp7mvoemgr+Kzs0wNCOOm9/561Cqsl3MCbHrt8hXikcb2lTyH3UkNRlBmYt66hb7MB1r1osT8KLLERuJ1kFOhYf6edefTFjyQVM/EUUwK5TO5NzFGB8wosG9jzbLpbE9qXQrj62j6tAAAAAAAAA==",
"configEncoding":"none"
}
}
Binwalk 在这两个文件中都是空白的:
以下 tar 文件扩展为三个单独的文件:
- http://cbfu-prod.slingbox.com/Intrepid/Intrepid_FW_01_10_102/FW5_SIG_01_10_102.tar
- FW5_sig.smime <-- 不知道如何解码这些 smime 文件,但包含诸如“Intrepid pkg key”、“Intrepid pkg signer”和“OpenSSL Generated Certificate”之类的字符串,并且具有可能有用的有趣名称!
- FW5_enc_params.smime
- ubi_fw_size --> "128057344"
可能是最有趣的文件,它看起来完全加密(95 MB):
所以在这里我想知道是否有机会走得更远,或者我是否被卡住了。我不反对硬件修补,尽管我肯定会很笨拙并且需要一些手动操作。有什么想法吗?谢谢。