这是固件更新的链接:四分之四镜头的联合更新服务
这些结果很可能是误报。在第一个 ~1536 字节之后,数据被编码并且基本上是随机的(非常高的熵)。ZBOOT 固件通常在电视中找到,ISAM 和 MYISAM 文件由 MySQL MyISAM 存储引擎使用,这似乎不太可能在具有显着内存限制的嵌入式系统上运行,如数码相机。
分析
签名
以下是 MySQL 文件签名的 3 字节序列(来自binwalk/sql):
\xfe\xfe\x03 MySQL MISAM index file
\xfe\xfe\x05 MySQL ISAM index file
\xfe\xfe\x06 MySQL ISAM compressed data file
\xfe\xfe\x07 MySQL MISAM compressed data file
较短的字节序列更有可能出现在具有非常高熵的 31901184 字节二进制文件中。
这是 ZBOOT 固件标头的签名(来自binwalk/firmware):
#Firmware header used by some TV's
0 string FNIB ZBOOT firmware header, header size: 32 bytes,
>8 lelong x load address: 0x%.8X,
>12 lelong x start address: 0x%.8X,
>16 lelong x checksum: 0x%.8X,
>20 lelong x version: 0x%.8X,
>24 lelong <1 invalid
>24 lelong x image size: %d bytes
查看字节binwalk检测为 ZBOOT 签名使用hexdump确认扫描输出:
$ hexdump -C -s 31869478 -n 24 GM5__V11.bin
01e64a26 46 4e 49 42 ba 86 a0 69 30 f8 f4 29 5d 29 92 96 |FNIB...i0..)])..|
01e64a36 27 73 83 11 16 73 43 b1 |'s...sC.|
的加载地址0x29F4F830、起始地址0x9692295D、版本号0xB1437316和 1837825596 字节的图像大小似乎都不正确。大小为 1.8 GB 的固件映像意味着至少有足够的内存空间用于加载图像,这对于数码相机来说似乎不正确。
熵分析
这是由binwalk以下生成的熵图:
接近 1 的非常平滑的线表示压缩或加密。对此提供更多支持ent:
$ ent GM5__V11.bin
Entropy = 7.999995 bits per byte.
Optimum compression would reduce the size
of this 31901184 byte file by 0 percent.
Chi square distribution for 31901184 samples is 235.87, and randomly
would exceed this value 79.95 percent of the times.
Arithmetic mean value of data bytes is 127.4853 (127.5 = random).
Monte Carlo value for Pi is 3.142165006 (error 0.02 percent).
Serial correlation coefficient is -0.000084 (totally uncorrelated = 0.0).
根据devttys0进行的测试,
将这些测试应用于已通过不同压缩/加密算法的不同大小的(不可否认的小)文件样本显示以下相关性:
卡方分布的大偏差或蒙特卡罗近似中的大百分比误差是压缩的确定迹象。
非常准确的 pi 计算(< .01% 错误)是加密的确定标志。
较低的 chi 值 (< 300) 和较高的 pi 误差 (> .03%) 表示压缩。
较高的 chi 值 (> 300) 和较低的 pi 误差 (< .03%) 表示加密。
由于结果ent是 235.87 的卡方分布和 0.02% 的 pi 计算误差,因此很难仅使用这些启发式方法来判断哪个。
文件头
标头未编码,可以与二进制的编码部分分开分析。为了了解其结构,这里是使用binvis.io创建的标题的可视化:
这可以帮助调查头的十六进制转储:
$ hexdump -C header.bin
00000000 55 50 44 00 00 02 00 00 00 02 00 00 47 4d 35 00 |UPD.........GM5.|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 10 01 10 01 |................|
00000020 04 00 00 00 48 17 27 01 00 00 00 00 03 00 00 00 |....H.'.........|
00000030 00 00 00 00 03 00 00 00 00 02 00 00 00 c4 e6 01 |................|
00000040 49 a1 b1 e2 00 00 00 00 00 00 00 00 00 00 00 00 |I...............|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 70 61 6e 61 73 6f 6e 69 63 00 00 00 00 00 00 00 |panasonic.......|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 09 1a d7 cd 27 82 30 17 85 18 17 7b 0a fe 57 de |....'.0....{..W.|
00000230 ba 20 30 41 f1 97 64 12 a0 a3 39 65 85 45 28 6c |. 0A..d...9e.E(l|
00000240 f8 2d 00 75 99 6a 32 73 1d 0a fe c7 8d 9b af e5 |.-.u.j2s........|
00000250 8a 17 2c 78 64 37 b1 cb 24 ee 69 d1 b0 9a 1e fb |..,xd7..$.i.....|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000002a0 55 50 44 00 00 02 00 00 00 02 00 00 47 4d 35 00 |UPD.........GM5.|
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 10 01 10 01 |................|
000002c0 04 00 00 00 48 17 27 01 00 00 00 00 03 00 00 00 |....H.'.........|
000002d0 00 00 00 00 03 00 00 00 00 02 00 00 00 c4 e6 01 |................|
000002e0 00 00 00 00 00 00 00 00 08 00 00 00 70 72 6f 67 |............prog|
000002f0 72 61 6d 00 00 00 00 00 00 04 00 00 00 00 80 00 |ram.............|
00000300 00 00 00 00 03 00 00 00 e6 ce 3a 07 64 fd 56 e0 |..........:.d.V.|
00000310 f2 55 d4 41 2d 30 b1 f9 f7 3b 52 82 b3 33 c0 fe |.U.A-0...;R..3..|
00000320 80 f1 6d c1 18 33 07 8c 84 03 c7 fb f9 8b de 15 |..m..3..........|
00000330 a6 9e 7c ba ee be 5f 6a 00 00 00 00 00 00 00 00 |..|..._j........|
00000340 00 00 00 00 00 00 00 00 67 75 69 72 65 73 00 00 |........guires..|
00000350 00 00 00 00 00 04 80 00 00 00 c0 00 00 00 80 00 |................|
00000360 03 00 00 00 5e 59 a4 51 17 17 91 01 88 1b 5b e4 |....^Y.Q......[.|
00000370 59 05 6f aa 86 75 95 24 a3 a6 0f 57 07 87 d1 38 |Y.o..u.$...W...8|
00000380 b3 53 05 c2 52 e3 63 b6 ab 09 1d 0d 14 81 ae 69 |.S..R.c........i|
00000390 de 76 1b 11 00 00 00 00 00 00 00 00 00 00 00 00 |.v..............|
000003a0 00 00 00 00 70 72 6f 67 72 61 6d 32 00 00 00 00 |....program2....|
000003b0 00 04 40 01 00 00 36 00 00 00 40 01 03 00 00 00 |..@...6...@.....|
000003c0 90 dd 3e 4a 19 c6 00 85 71 f1 62 3e 4d 84 9f 24 |..>J....q.b>M..$|
000003d0 5b 27 94 73 f4 3e 3b 13 f8 b7 63 e6 c9 4a 53 a5 |['.s.>;...c..JS.|
000003e0 39 c4 94 f0 01 50 3f 7d 66 6b 16 91 31 be 58 9f |9....P?}fk..1.X.|
000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000400 61 72 6d 63 6f 64 65 00 00 00 00 00 00 04 76 01 |armcode.......v.|
00000410 00 00 34 00 00 00 76 01 03 00 00 00 c7 e1 96 1a |..4...v.........|
00000420 12 18 64 68 6f 32 7a 3b f8 2b 18 d1 59 6e 39 a4 |..dho2z;.+..Yn9.|
00000430 4b a1 3b 0e 63 fc 7c d1 a6 c9 10 b1 4e 1a 90 e6 |K.;.c.|.....N...|
00000440 e9 fb ec 36 92 7b dc 2b 29 e5 b4 b0 00 00 00 00 |...6.{.+).......|
00000450 00 00 00 00 00 00 00 00 00 00 00 00 6f 74 68 65 |............othe|
00000460 72 00 00 00 00 00 00 00 00 04 aa 01 00 00 38 00 |r.............8.|
00000470 00 00 b4 01 03 00 00 00 a2 36 81 24 c4 43 60 d8 |.........6.$.C`.|
00000480 05 96 82 00 24 9b d0 f2 01 72 74 8a 4b 41 0a b6 |....$....rt.KA..|
00000490 c2 ae 74 54 b2 b0 74 54 3e 8e 15 3b e1 b1 0b d8 |..tT..tT>..;....|
000004a0 24 4d 11 32 c6 d4 78 fc 00 00 00 00 00 00 00 00 |$M.2..x.........|
000004b0 00 00 00 00 00 00 00 00 65 65 70 5f 6f 77 5f 61 |........eep_ow_a|
000004c0 00 00 00 00 00 04 e2 01 00 00 02 00 00 00 fa 01 |................|
000004d0 03 00 00 00 b3 45 11 95 0d 13 6f 0d d1 7a 2d 4e |.....E....o..z-N|
000004e0 86 72 d7 65 0c 2b db a9 fb 21 c8 93 a3 9b 95 cb |.r.e.+...!......|
000004f0 0a bd 38 87 84 86 28 33 c3 e7 ca 1c 74 5b 10 34 |..8...(3....t[.4|
00000500 65 20 02 aa 00 00 00 00 00 00 00 00 00 00 00 00 |e ..............|
00000510 00 00 00 00 65 65 70 5f 6f 77 5f 62 00 00 00 00 |....eep_ow_b....|
00000520 00 04 e4 01 00 00 02 00 00 00 fc 01 03 00 00 00 |................|
00000530 b3 45 11 95 0d 13 6f 0d d1 7a 2d 4e 86 72 d7 65 |.E....o..z-N.r.e|
00000540 0c 2b db a9 fb 21 c8 93 a3 9b 95 cb 0a bd 38 87 |.+...!........8.|
00000550 74 e7 e8 b9 78 c8 63 0a 85 b7 4a 2b 7c fc 6f e0 |t...x.c...J+|.o.|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000570 65 65 70 5f 61 64 6a 66 69 78 00 00 00 04 e6 01 |eep_adjfix......|
00000580 00 c0 00 00 00 00 fe 01 03 00 00 00 72 be 21 58 |............r.!X|
00000590 3a cd 1f 9f 93 d9 8b 9d 7d ac ef 1a b7 28 c1 31 |:.......}....(.1|
000005a0 29 df cc 02 a2 ef a9 ae 30 b6 ea cc b7 89 e4 78 |).......0......x|
000005b0 4b d1 60 72 c8 77 e2 b5 d6 03 03 c5 00 00 00 00 |K.`r.w..........|
000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
在头的可视化和十六进制转储之间,看起来有 10 或 11 个字节块由字节序列分隔,0x00并且这些块中的每一个都以 ASCII 数据开头。以下是人类可读的字符串:
UPD
GM5
panasonic
UPD
GM5
program
guires
program2
armcode
other
eep_ow_a
eep_ow_b
eep_adjfix
如果没有更多信息,很难确定文件中未编码的前 1536 个字节中的数据具有什么意义(如果有)。
更新:
我在非零字节块中寻找模式并观察到下面的 8 个字符串后跟字节序列00 00 00 04:
program
guires
program2
armcode
other
eep_ow_a
eep_ow_b
eep_adjfix
还观察到以下重复03 00 00 00:
这 8 个块之间的填充由 1600个字节组成:
