逆向工程 - 无法从固件转储中解压 - 吾爱随笔录

无法从固件转储中解压

逆向工程固件垃圾桶

2021-07-08 04:52:07

在尝试从路由器解压固件转储但没有成功后，我寻求帮助。

我有一个带有 BCM68380 CPU 的路由器。拆焊东芝 NAND 芯片后，我转储了固件（链接到 FW）并继续提取它。Binwalk 显示以下内容：

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
49788         0xC27C          CRC32 polynomial table, big endian
589312        0x8FE00         CRC32 polynomial table, big endian
2289136       0x22EDF0        uImage header, header size: 64 bytes, header CRC: 0x5BEEE4BD, created: 2017-08-31 09:59:39, image size: 2689910 bytes, Data Address: 0x80010000, Entry Point: 0x804505C0, data CRC: 0x44FFEAF7, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
2703360       0x294000        uImage header, header size: 64 bytes, header CRC: 0x5BEEE4BD, created: 2017-08-31 09:59:39, image size: 2689910 bytes, Data Address: 0x80010000, Entry Point: 0x804505C0, data CRC: 0x44FFEAF7, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
3808793       0x3A1E19        MySQL MISAM compressed data file Version 5
5477496       0x539478        uImage header, header size: 64 bytes, header CRC: 0x1BD6643, created: 2017-08-31 09:59:50, image size: 26791936 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x8212135E, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: lzma, image name: "rootfs"
5477560       0x5394B8        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 26790128 bytes, 2251 inodes, blocksize: 262144 bytes, created: 2017-08-31 09:59:50
32416240      0x1EEA1F0       PNG image, 921 x 359, 8-bit/color RGBA, non-interlaced
32686576      0x1F2C1F0       PNG image, 979 x 336, 8-bit/color RGBA, non-interlaced
46083560      0x2BF2DE8       uImage header, header size: 64 bytes, header CRC: 0x8F97D0FE, created: 2017-01-09 09:50:15, image size: 2688224 bytes, Data Address: 0x80010000, Entry Point: 0x8044DAD0, data CRC: 0x7E335D07, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
46497792      0x2C58000       uImage header, header size: 64 bytes, header CRC: 0x8F97D0FE, created: 2017-01-09 09:50:15, image size: 2688224 bytes, Data Address: 0x80010000, Entry Point: 0x8044DAD0, data CRC: 0x7E335D07, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
49270176      0x2EFCDA0       uImage header, header size: 64 bytes, header CRC: 0xFE9B6F73, created: 2017-01-09 09:50:20, image size: 25706496 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xD5593BBC, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: lzma, image name: "rootfs"
49270240      0x2EFCDE0       Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 25703081 bytes, 2266 inodes, blocksize: 262144 bytes, created: 2017-01-09 09:50:20
74999328      0x4786620       PNG image, 921 x 359, 8-bit/color RGBA, non-interlaced
75269664      0x47C8620       PNG image, 979 x 336, 8-bit/color RGBA, non-interlaced
91914240      0x57A8000       UBI erase count header, version: 1, EC: 0x17, VID header offset: 0x800, data offset: 0x1000

解压后显示如下文件（squashfs.root文件夹为空）

2EFCDE0.squashfs  5394B8.squashfs  57A8000.ubi  squashfs-root

然后我尝试解压缩 squashfs 文件系统。起初我尝试使用 unsquashfs 这给了我这个结果：

Lseek failed because Invalid argument
File system corruption detected
FATAL ERROR:failed to read file system tables

另一方面sasquatch给了我这个结果：

SquashFS version [4.0] / inode count [2266] suggests a SquashFS image of the same endianess
Parallel unsquashfs: Using 1 processor
Lseek failed because Invalid argument
read_block: failed to read block @0xbe23b7988e38debe
read_uids_guids: failed to read id table block
FATAL ERROR:failed to uid/gid table

我也试过同样的firmware-mod-kit：

Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

Scanning firmware...

Scan Time:     2020-11-03 13:49:05
Target File:   /mnt/c/Users/Ismael/Desktop/Nueva/Flash_data.bin
MD5 Checksum:  31b617568a1ca2e060bea93fd23de338
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
49788         0xC27C          CRC32 polynomial table, big endian
589312        0x8FE00         CRC32 polynomial table, big endian
2289136       0x22EDF0        uImage header, header size: 64 bytes, header CRC: 0x5BEEE4BD, created: 2017-08-31 09:59:39, image size: 2689910 bytes, Data Address: 0x80010000, Entry Point: 0x804505C0, data CRC: 0x44FFEAF7, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
2703360       0x294000        uImage header, header size: 64 bytes, header CRC: 0x5BEEE4BD, created: 2017-08-31 09:59:39, image size: 2689910 bytes, Data Address: 0x80010000, Entry Point: 0x804505C0, data CRC: 0x44FFEAF7, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
3808793       0x3A1E19        MySQL MISAM compressed data file Version 5
5477496       0x539478        uImage header, header size: 64 bytes, header CRC: 0x1BD6643, created: 2017-08-31 09:59:50, image size: 26791936 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x8212135E, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: lzma, image name: "rootfs"
5477560       0x5394B8        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 26790128 bytes, 2251 inodes, blocksize: 262144 bytes, created: 2017-08-31 09:59:50
32416240      0x1EEA1F0       PNG image, 921 x 359, 8-bit/color RGBA, non-interlaced
32686576      0x1F2C1F0       PNG image, 979 x 336, 8-bit/color RGBA, non-interlaced
46083560      0x2BF2DE8       uImage header, header size: 64 bytes, header CRC: 0x8F97D0FE, created: 2017-01-09 09:50:15, image size: 2688224 bytes, Data Address: 0x80010000, Entry Point: 0x8044DAD0, data CRC: 0x7E335D07, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
46497792      0x2C58000       uImage header, header size: 64 bytes, header CRC: 0x8F97D0FE, created: 2017-01-09 09:50:15, image size: 2688224 bytes, Data Address: 0x80010000, Entry Point: 0x8044DAD0, data CRC: 0x7E335D07, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "linux"
49270176      0x2EFCDA0       uImage header, header size: 64 bytes, header CRC: 0xFE9B6F73, created: 2017-01-09 09:50:20, image size: 25706496 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xD5593BBC, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: lzma, image name: "rootfs"
49270240      0x2EFCDE0       Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 25703081 bytes, 2266 inodes, blocksize: 262144 bytes, created: 2017-01-09 09:50:20
74999328      0x4786620       PNG image, 921 x 359, 8-bit/color RGBA, non-interlaced
75269664      0x47C8620       PNG image, 979 x 336, 8-bit/color RGBA, non-interlaced
91914240      0x57A8000       UBI erase count header, version: 1, EC: 0x17, VID header offset: 0x800, data offset: 0x1000

Extracting 49270240 bytes of  header image at offset 0
Extracting squashfs file system at offset 49270240
Extracting squashfs files...
[sudo] password for ismael:
Firmware extraction successful!

它没有给我任何错误，但它没有提取任何 squashfs 文件。

为了删除固件中的 OOB，我使用了NandTool ，它删除了 OOB 数据。

任何帮助将不胜感激。谢谢。

编辑：带有“包括备用区域”禁用链接的固件。

2个回答

您的转储很可能包含备用（或 OOB）字节，而大多数文件格式只考虑用户可访问的区域。您可以找出转储结构并删除 OOB 块，或者在没有备用区域的情况下简单地重新转储。在那之后提取应该工作。

在分析您的转储后，我认为您的路由器与我的非常相似。请检查PRV3399BELT了解我目前发现的内容。

如前所述，您已将原始数据与 OOB 信息一起转储；在喂食 binwalk 之前必须清洁。

然后 binwalk 没有提供可靠的信息，因为它试图猜测常见的结构，并且多次给出“错误的发现”。不要太相信这个输出。

谈到您的问题，固件已构建为启用“安全启动”。这意味着图像已加密，因此无法读取或操作。

除非知道 RSA 密钥，否则您的努力毫无意义。

你可以从Asuswrt-Merlin 站点学到很多东西。尤其是这些脚本。这些是来自 Asuswrt GPL 源的摘录。不幸的是，BCM68380 还不包括在内。

您能否编辑您的消息并添加路由器型号和品牌？

干杯!
乔治

注意：我已经检查过转储的文件是否已损坏；不是解释它的地方，而是 0xd874 处的 cferom 文件（引导加载程序）的末尾包含块 0x14->0xd773 的 JAMCRC32。您甚至可以对两个可用的转储进行比较，您会在开始时注意到一些字节不匹配。如果可能，你能提供一个安全的转储吗？

其它你可能感兴趣的问题

上一篇从哪里开始反转自定义 JavaScript VM？下一篇修改旧手机的bin固件文件