我正在尝试构build自己的linux衍生产品,以在TI-AR7电路板上运行。 我从一个旧的Telekom Speedport W 501V路由器上拿了这个板子。 要了解如何将固件刷到设备上,我已经下载了最新的官方固件 。 使用linux file命令我确定图像是一个tar档案,可以很容易地提取。
ubuntu@ip-172-31-23-210:~/reverse$ ls fw_speedport_w501v_v_28.04.38.image ubuntu@ip-172-31-23-210:~/reverse$ file fw* fw_speedport_w501v_v_28.04.38.image: POSIX tar archive (GNU) ubuntu@ip-172-31-23-210:~/reverse$ tar -xvf fw* ./var/ ./var/tmp/ ./var/tmp/kernel.image ./var/tmp/filesystem.image ./var/flash_update.ko ./var/flash_update.o ./var/info.txt ./var/install ./var/chksum ./var/regelex ./var/signature ubuntu@ip-172-31-23-210:~/reverse$
根据我发现的wiki(Firmware-Image) ,./ ./var/tmp/kernel.image包含了实际的固件。 在更新过程中,该映像被写入到mtd1设备。 如维基(LZMA-Kernel)中所述,lzma压缩内核以幻数0xFeed1281 。 kernel.image的hexdump在开始时包含这个数字。
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ hexdump -n 4 kernel.image 0000000 1281 Feed 0000004 ubuntu@ip-172-31-23-210:~/reverse/var/tmp$
在最后的wiki条目上给出的以下脚本应该解压缩内核。
#! /usr/bin/perl use Compress::unLZMA; use Archive::Zip; open input,"<$ARGV[0]" or dIE "can't open $ARGV[0]: $!"; read input,$buf,4; $magic = unpack("V",$buf); if ($magic != 0xFeed1281) { dIE "bad magic"; } read input,4; $len = unpack("V",$buf); read input,4*2; # address,unkNown read input,4; $clen = unpack("V",4; $dlen = unpack("V",4; $cksum = unpack("V",$buf); printf "Archive checksum: 0x%08xn",$cksum; read input,1+4; # propertIEs,dictionary size read input,$dummy,3; # alignment $buf .= pack('VV',$dlen,0); # 8 bytes of real size #$buf .= pack('VV',-1,-1); # 8 bytes of real size read input,$buf2,$clen; $crc = Archive::Zip::computeCRC32($buf2); printf "input CRC32: 0x%08xn",$crc; if ($cksum != $crc) { dIE "wrong checksum"; } $buf .= $buf2; $data = Compress::unLZMA::uncompress($buf); unless (@R_301_5552@d $data) { dIE "uncompress: $@"; } open OUTPUT,">$ARGV[1]" or dIE "can't write $ARGV[1]"; print OUTPUT $data; #truncate OUTPUT,$dlen;
要使用脚本,您可能需要安装Compress :: unLZMA和Archive :: Zip perl模块。
如何在USB软盘驱动器上使用10扇区轨道格式
在OSX中环回安装
在一台双核计算机上,可以将linux(一个核心)和裸机固件(第二个核心)结合起来吗?
基于linux的固件,如何实现更新的好方法?
在windows下重命名USB HID设备
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ tar -xvf Compress* Compress-unLZMA-0.04/ Compress-unLZMA-0.04/Makefile.PL Compress-unLZMA-0.04/ppport.h Compress-unLZMA-0.04/Changes Compress-unLZMA-0.04/lzma_sdk/ [...] ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ cd Compress* ubuntu@ip-172-31-23-210:~/reverse/var/tmp/Compress-unLZMA-0.04$ perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for Compress::unLZMA Writing MYMeta.yml and MYMeta.Json ubuntu@ip-172-31-23-210:~/reverse/var/tmp/Compress-unLZMA-0.04$ make cp lib/Compress/unLZMA.pm blib/lib/Compress/unLZMA.pm /usr/bin/perl /usr/share/perl/5.18/ExtUtils/xsubpp -typemap /usr/share/perl/5.18/ExtUtils/typemap unLZMA.xs > unLZMA.xsc && mv unLZMA.xsc unLZMA.c cc -c -I. -Ilzma_sdk/Source -D_REENTRANT -D_GNU_SOURCE [...] ubuntu@ip-172-31-23-210:~/reverse/var/tmp/Compress-unLZMA-0.04$ sudo make install files found in blib/arch: installing files in blib/lib into architecture dependent library tree Installing /usr/local/lib/perl/5.18.2/auto/Compress/unLZMA/unLZMA.bs Installing /usr/local/lib/perl/5.18.2/auto/Compress/unLZMA/unLZMA.so Installing /usr/local/lib/perl/5.18.2/Compress/unLZMA.pm Installing /usr/local/man/man3/Compress::unLZMA.3pm Appending installation info to /usr/local/lib/perl/5.18.2/perllocal.pod ubuntu@ip-172-31-23-210:~/reverse/var/tmp/Compress-unLZMA-0.04$ # same for Archive::Zip module
在安装这些依赖关系之后,脚本成功地解压了内核。
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ ./decompress.pl kernel.image kernel.decompressed Archive checksum: 0x29176e12 input CRC32: 0x29176e12 ubuntu@ip-172-31-23-210:~/reverse/var/tmp$
但是,什么样的文件是kernel.decompressed ,我怎么从我的linux内核源生成一个类似的文件? 我继续使用file和binwalk分析它。
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ file kernel.decompressed kernel.decompressed: data ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ binwalk kernel.decompressed DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 1509632 0x170900 linux kernel version "2.6.13.1-ohio (686) (gcc version 3.4.6) #9 Wed Apr 4 13:48:08 CEST 2007" 1516240 0x1722D0 CRC32 polynomial table,little endian 1517535 0x1727DF copyright string: "copyright 1995-1998 Mark Adler " 1549488 0x17A4B0 Unix path: /usr/gnemul/irix/ 1550920 0x17AA48 Unix path: /usr/lib/libc.so.1 1618031 0x18B06F Neighborly text,"neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)" 1966080 0x1E0000 gzip compressed data,maximum compression,from Unix,last modifIEd: 2007-04-04 11:45:13 ubuntu@ip-172-31-23-210:~/reverse/var/tmp$
所以linux内核从1509632开始,到1509632结束。 什么样的数据存储在linux内核( 0到1509632 )之前? 我使用dd提取内核和那条未知数据。
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ dd if=kernel.decompressed of=unkNown.data bs=1 count=1509632 1509632+0 records in 1509632+0 records out 1509632 bytes (1.5 MB) copIEd,1.62137 s,931 kB/s ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ dd if=kernel.decompressed of=kernel bs=1 skip=1509632 count=6608 6608+0 records in 6608+0 records out 6608 bytes (6.6 kB) copIEd,0.0072771 s,908 kB/s ubuntu@ip-172-31-23-210:~/reverse/var/tmp$
我需要再问一次: kernel是什么types的文件,我如何从我的linux内核源文件生成一个类似的文件? 我使用xxd和strings更紧密地查看文件。
ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ xxd -l 100 kernel 0000000: 4c69 6e75 7820 7665 7273 696f 6e20 322e linux version 2. 0000010: 362e 3133 2e31 2d6f 6869 6f20 2836 3836 6.13.1-ohio (686 0000020: 2920 2867 6363 2076 6572 7369 6f6e 2033 ) (gcc version 3 0000030: 2e34 2e36 2920 2339 2057 6564 2041 7072 .4.6) #9 Wed Apr 0000040: 2034 2031 333a 3438 3a30 3820 4345 5354 4 13:48:08 CEST 0000050: 2032 3030 370a 0000 0000 0000 0000 0000 2007........... 0000060: 0000 0000 .... ubuntu@ip-172-31-23-210:~/reverse/var/tmp$ strings kernel linux version 2.6.13.1-ohio (686) (gcc version 3.4.6) #9 Wed Apr 4 13:48:08 CEST 2007 do_be do_bp do_tr do_ri do_cpu nmi_exception_handler do_ade emulate_load_store_insn do_page_fault context_switch __put_task_struct do_exit local_bh_enable run_workqueue 2.6.13.1-ohio gcc-3.4 enable_irq __free_pages_ok free_hot_cold_page prep_new_page kmem_cache_destroy kmem_cache_create pageout vunmap_pte_range vmap_pte_range __vunmap __brelse sync_dirty_buffer bio_endio queue_kicked_iocb proc_get_inode remove_proc_entry sysfs_get sysfs_fill_super kref_get kref_put 0123456789abcdefghijklmnopqrstuvwxyz 0123456789ABCDEFGHIJKLMnopQRSTUVWXYZ vsnprintf {zt^f pw0Gm 0cIZ- 68BG+ QC]S% v,;Zk ubuntu@ip-172-31-23-210:~/reverse/var/tmp$
这个Github 存储库包含提取的文件用于进一步分析。
如何将固件文件存储到头文件(.h)
什么是“暂停/rest”键的扫描码?
F11和F12的windows扫描码是不同的。 为什么?
我可以在U-Boot中使用通配符吗?
linux中的固件和驱动程序
总结以上是内存溢出为你收集整理的逆向devise固件映像并重buildTI-AR7的Linux内核全部内容,希望文章能够帮你解决逆向devise固件映像并重buildTI-AR7的Linux内核所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)