逆向工程 - 如何从相机固件 .bin 文件中解压（雕刻）文件？ - 吾爱随笔录

如何从相机固件 .bin 文件中解压（雕刻）文件？

逆向工程固件开箱

2021-06-17 09:37:07

有人愿意帮助我从固件文件中雕刻/提取文件吗？我试图用提取binwalk，但它没有提取所有内容。我用 ent 检查了它，看看是否有任何加密，并且从我能说的来看似乎没有任何加密。

它是Insta360 One相机的固件，我想检查文件系统/代码以了解其工作原理。Binwalk枚举了一个 unix 文件系统，我很确定它只是在 ARM 处理器上运行。任何帮助，将不胜感激。

这是 .bin 文件的链接

https://www.dropbox.com/s/ut9is9k1t6ih0gf/Insta360FW.bin?dl=0

1个回答

从对文件的简要分析来看，该Insta360 One相机是基于Ambarella A9 SoC或其变体。因此，让我们暂时假设我们正在处理 Ambarella 摄像机本身及其固件，因为 IMO 从头开始开发您自己的高清摄像机硬件和软件堆栈非常困难。如果检查固件文件中的字符串，则有一些实质性的证据：

/home/users/vincent/Insta360_ONE/insta360_one_u05/ambalink_sdk_3_10/output.oem/a12_ambalink/build/dbus-1.8.16/dbus/.libs
AmbarellaInc A9 Platform

进一步的谷歌搜索显示，该SoC还用于其他产品，其中包括DJI Mavic无人机。在此之后，以下 repo 出现了可能对您的研究有所帮助的工具： dji-firmware-tools

在进一步讨论文件提取之前，先介绍一下 bin 文件本身。它分为几个部分，因为我想到了相机 SoC 如何将东西加载到 RAM 中。有些部分实际上是 ELF 文件（第 00 部分），而其他部分是 UBIFS 分区，您可以在ubi_reader的帮助下进行检查。所以继续举例。

通过使用amba_fwpak.py, amba_romfs.py，arm_bin2elf.py可以：

将固件分成几部分

/ubidump/dji-firmware-tools # ./amba_fwpak.py -s -vv -m /Research/Insta360FW.bin 
/Research/Insta360FW.bin: Opening for search
/Research/Insta360FW.bin: Extracting entry  0, pos      252, len  6919456 bytes
/Research/Insta360FW.bin: Entry  0 checksum B77204FE
/Research/Insta360FW.bin: Extracting entry  1, pos  6919964, len  5079040 bytes
/Research/Insta360FW.bin: Entry  1 checksum F1EC7657
/Research/Insta360FW.bin: Extracting entry  2, pos 11999260, len  7266304 bytes
/Research/Insta360FW.bin: Entry  2 checksum F525FC58
/Research/Insta360FW.bin: Extracting entry  3, pos 19265820, len  6002936 bytes
/Research/Insta360FW.bin: Entry  3 checksum 13FB09E6
/Research/Insta360FW.bin: Extracting entry  4, pos 25269012, len 12976128 bytes
/Research/Insta360FW.bin: Entry  4 checksum 03A65A19

提取二进制文件 - 它来自一个文件，其他文件有更多：

/ubidump/dji-firmware-tools/file # ../amba_romfs.py -vv -s -p /Research/insta/Insta360FW_part_01.a9s 
/Research/insta/Insta360FW_part_01.a9s: Opening for search
/Research/insta/Insta360FW_part_01.a9s: Extracting entry 0: orccode.bin, 4376293 bytes
/Research/insta/Insta360FW_part_01.a9s: Extracting entry 1: orcme.bin, 432320 bytes
/Research/insta/Insta360FW_part_01.a9s: Extracting entry 2: default_binary.bin, 262144 bytes

将其中一部分转换成ELF文件用于静态研究——基地址来自Insta360FW_part_00.a9h文件：

/ubidump/dji-firmware-tools # ./amba_sys2elf.py -vv -e -l 0xA0001000 -p /Research/insta/Insta360FW_part_00.a9s 
/Research/insta/Insta360FW_part_00.a9s: Opening for conversion to ELF
/Research/insta/Insta360FW_part_00.a9s: Opening         /Research/insta/Insta360FW_part_00.a9h
/Research/insta/Insta360FW_part_00.a9s: Memory base address set to 0xa0001000
/Research/insta/Insta360FW_part_00.a9s: Searching for sections
/Research/insta/Insta360FW_part_00.a9s: Matching '.ARM.exidx' section at 0x0054af80: 1 exception entries
/Research/insta/Insta360FW_part_00.a9s: Set '.ARM.exidx' section at file pos 0x0054af80, size 0x00000008
/Research/insta/Insta360FW_part_00.a9s: Set '.text' section at file pos 0x00000000, size 0x0054af80
/Research/insta/Insta360FW_part_00.a9s: Set '.data' section at file pos 0x0054af88, size 0x0014e598
/Research/insta/Insta360FW_part_00.a9s: Set '.bss' section at file pos 0x00699520, size 0x9f967ae0
/Research/insta/Insta360FW_part_00.a9s: ELF template 'amba_sys2elf_template.elf' copied to 'Insta360FW_part_00.elf', 5140 bytes
/Research/insta/Insta360FW_part_00.a9s: Section '.text' memory address set to 0xa0001000, alignment 0x40
/Research/insta/Insta360FW_part_00.a9s: Section '.ARM.exidx' memory address set to 0xa054bf80, alignment 0x40
/Research/insta/Insta360FW_part_00.a9s: Section '.data' memory address set to 0xa054bf88, alignment 0x08
/Research/insta/Insta360FW_part_00.a9s: Section '.bss' memory address set to 0xa069a520, alignment 0x20
/Research/insta/Insta360FW_part_00.a9s: Updating entry point and section headers
/Research/insta/Insta360FW_part_00.a9s: Preparing ELF section '.text' from binary pos 0x00000000
/Research/insta/Insta360FW_part_00.a9s: Preparing ELF section '.ARM.exidx' from binary pos 0x0054af80
/Research/insta/Insta360FW_part_00.a9s: Preparing ELF section '.data' from binary pos 0x0054af88
/Research/insta/Insta360FW_part_00.a9s: Preparing ELF section '.bss' from binary pos 0x00699520
/Research/insta/Insta360FW_part_00.a9s: Writing changes to 'Insta360FW_part_00.elf'

而 UBI 分区看起来类似于以下内容：

/ubidump # ubireader_display_info /Research/insta/Insta360FW_part_04.a9s
UBI File
---------------------
    Min I/O: 2048
    LEB Size: 126976
    PEB Size: 131072
    Total Block Count: 99
    Data Block Count: 97
    Layout Block Count: 2
    Internal Volume Block Count: 0
    Unknown Block Count: 0
    First UBI PEB Number: 0

    Image: 891379931
    ---------------------
        Image Sequence Num: 891379931
        Volume Name:linux
        PEB Range: 0 - 98

        Volume: linux
        ---------------------
            Vol ID: 0
            Name: linux
            Block Count: 97

            Volume Record
            ---------------------
                alignment: 1
                crc: '0xeae44dff'
                data_pad: 0
                errors: ''
                flags: 0
                name: u'linux'
                name_len: 5
                padding: u'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
                rec_index: 0
                reserved_pebs: 389
                upd_marker: 0
                vol_type: 'dynamic'

所以我认为这应该足以让你开始。祝好运并玩得开心点！

其它你可能感兴趣的问题

上一篇如何反编译这个汇编代码？下一篇如何识别这个特定数据文件的结构？