路由器dd手动提取固件---迅捷PoEAC路由一体机FR100P-AC固件提取
sn0w 发表于 广东 IoT安全 671浏览 · 2024-09-22 12:33

直接binwalk提取

sudo binwalk -Me --run-as=root fr100pacv1.bin

提取出来下面这些东西:

我们分析看一下:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
20            0x14            IMG0 (VxWorks) header, size: 909568
43956         0xABB4          U-Boot version string, "U-Boot 1.1.3 (Jun  2 2017 - 18:37:14)"
57492         0xE094          IMG0 (VxWorks) header, size: 852096
57620         0xE114          LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 1267504 bytes
677152        0xA5520         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1758 bytes
678325        0xA59B5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3237 bytes
678785        0xA5B81         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 200 bytes
678981        0xA5C45         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 80 bytes
679039        0xA5C7F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 21984 bytes
682408        0xA69A8         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 147 bytes
682529        0xA6A21         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 493 bytes
682948        0xA6BC4         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2826 bytes
684431        0xA718F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 32861 bytes
691537        0xA8D51         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4383 bytes
693333        0xA9455         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2747 bytes
694524        0xA98FC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7316 bytes
696832        0xAA200         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1981 bytes
697735        0xAA587         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 15912 bytes
701953        0xAB601         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2955 bytes
702968        0xAB9F8         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6623 bytes
704981        0xAC1D5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3565 bytes
706289        0xAC6F1         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2831 bytes
707554        0xACBE2         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4280 bytes
708886        0xAD116         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10925 bytes
711326        0xADA9E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 286 bytes
711548        0xADB7C         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3912 bytes
712971        0xAE10B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5943 bytes
714894        0xAE88E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5955 bytes
716799        0xAEFFF         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6416 bytes
718873        0xAF819         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1638 bytes
719622        0xAFB06         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7549 bytes
721691        0xB031B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 857 bytes
722183        0xB0507         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 22381 bytes
727974        0xB1BA6         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 658 bytes
728333        0xB1D0D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4425 bytes
730048        0xB23C0         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4401 bytes
731619        0xB29E3         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4797 bytes
733485        0xB312D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6333 bytes
735563        0xB394B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2864 bytes
736803        0xB3E23         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7106 bytes
738927        0xB466F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4353 bytes
740792        0xB4DB8         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10715 bytes
743663        0xB58EF         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3421 bytes
744899        0xB5DC3         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5246 bytes
746532        0xB6424         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3185 bytes
747893        0xB6975         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1818 bytes
748655        0xB6C6F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 716 bytes
749073        0xB6E11         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1048 bytes
749677        0xB706D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2522 bytes
750896        0xB7530         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2640 bytes
752163        0xB7A23         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1607 bytes
752923        0xB7D1B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4403 bytes
754638        0xB83CE         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 749 bytes
755041        0xB8561         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2600 bytes
756057        0xB8959         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1230 bytes
756657        0xB8BB1         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3844 bytes
758108        0xB915C         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2816 bytes
759133        0xB955D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4870 bytes
760503        0xB9AB7         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9220 bytes
762923        0xBA42B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10038 bytes
766556        0xBB25C         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6395 bytes
768517        0xBBA05         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 17503 bytes
771879        0xBC727         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2398 bytes
772960        0xBCB60         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3504 bytes
774432        0xBD120         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1175 bytes
775058        0xBD392         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3068 bytes
776301        0xBD86D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1754 bytes
777194        0xBDBEA         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 8625 bytes
780142        0xBE76E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2387 bytes
781236        0xBEBB4         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 23062 bytes
786131        0xBFED3         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 42347 bytes
798172        0xC2DDC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5860 bytes
799567        0xC334F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 38827 bytes
809641        0xC5AA9         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14864 bytes
814530        0xC6DC2         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2508 bytes
815184        0xC7050         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3847 bytes
816478        0xC755E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3883 bytes
820405        0xC84B5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7922 bytes
828347        0xCA3BB         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 138 bytes
828501        0xCA455         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 136 bytes
828652        0xCA4EC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 769 bytes
829448        0xCA808         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 689 bytes
830164        0xCAAD4         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 976 bytes
831148        0xCAEAC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1004 bytes
832185        0xCB2B9         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1150 bytes
832297        0xCB329         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 812 bytes
833136        0xCB670         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 16085 bytes
835051        0xCBDEB         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 16268 bytes
837156        0xCC624         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 827 bytes
838014        0xCC97E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 795 bytes
838833        0xCCCB1         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 570 bytes
839426        0xCCF02         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2199 bytes
841084        0xCD57C         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2742 bytes
843083        0xCDD4B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2661 bytes
845036        0xCE4EC         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 365 bytes
845421        0xCE66D         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3247 bytes
848678        0xCF326         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2247 bytes
849730        0xCF742         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 34308 bytes
861851        0xD269B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5950 bytes
864123        0xD2F7B         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2995 bytes
865222        0xD33C6         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 93724 bytes
896698        0xDAEBA         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9268 bytes
899285        0xDB8D5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6012 bytes
900919        0xDBF37         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2706 bytes
902127        0xDC3EF         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3434 bytes
902719        0xDC63F         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2678 bytes
903333        0xDC8A5         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9021 bytes
904193        0xDCC01         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 859 bytes
904478        0xDCD1E         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5230 bytes
905026        0xDCF42         LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1114 bytes

简单分析一下:

  1. IMG0 (VxWorks) Header

    • 起始偏移量
      • 十进制:20
      • 十六进制:0x14
    • 描述IMG0 是 VxWorks 操作系统使用的映像头,表示映像的起始部分。大小为 909,568 字节。
  2. U-Boot Version String

    • 起始偏移量

      • 十进制:43,956
      • 十六进制:0xABB4
    • 描述:包含 U-Boot 的版本字符串,例如 "U-Boot 1.1.3 (Jun 2 2017 - 18:37:14)"。U-Boot 是一种常用的开源引导加载程序,广泛应用于嵌入式设备。

  3. 多个 IMG0 (VxWorks) Header

    • 起始偏移量
      • 十进制:57,492(0xE094)和 57,620(0xE114)
    • 描述:再次出现 IMG0 头,大小分别为 852,096 字节和包含 LZMA 压缩数据的段。
  4. LZMA 压缩数据段

    • 起始偏移量:从 57,620(0xE114)到 905,026(0xDCF42)

    • 描述

      :大部分数据段被标记为 LZMA 压缩数据,具有以下特征:

      • 属性(Properties):通常为 0x5A0x6E,表示 LZMA 的压缩属性。
      • 字典大小(Dictionary Size):均为 8,388,608 字节(8 MB),这是 LZMA 压缩算法中用于压缩和解压数据的字典大小。
      • 解压后大小(Uncompressed Size):各段解压后的数据大小不一,从几百字节到数万字节不等。

我们把每个lzma压缩数据段的初始值和大小得出,并可视化

可以发现57620开始的压缩数据段占比最大 猜测是主程序

于是我们用dd来手动提取57620:

dd if=fr100pacv1.bin of=57620.lzma bs=1 skip=57620 count=619532

成功提取并得到57620.lzma然后将其放入010editor查看

这一段的灰度完全不同,说明这里的数据是冗杂多余的应该删除,然后就可以成功解压了

再用binwalk 分析57620可以得到:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
176636        0x2B1FC         Copyright string: "Copyright(C) 2001-2011 by TP-LINK TECHNOLOGIES CO., LTD."
522740        0x7F9F4         PEM certificate
523412        0x7FC94         PEM RSA private key
559336        0x888E8         Copyright string: "Copyright FAST_TECHNOLOGIES"
790532        0xC1004         HTML document header
790597        0xC1045         HTML document footer
947428        0xE74E4         PEM certificate
947484        0xE751C         PEM certificate request
947668        0xE75D4         PEM RSA private key
947864        0xE7698         PEM EC private key
947928        0xE76D8         PEM DSA private key
1049388       0x10032C        XML document, version: "1.0"
1049576       0x1003E8        Base64 standard index table
1183672       0x120FB8        SHA256 hash constants, little endian
1242908       0x12F71C        XML document, version: "1.0"

这里的重点在 little endian 小端序,但是没有具体的架构信息,通过ida分析一次次的测试

进来后是这样,进来的时候有提醒过你按c再你认为的开始处 进行反编译

可以看到虽然是编译成功了 但是这种代码连函数名称都没有肯定是多少有问题的,于是我们从开始的汇编分析:

这里跳转的0XB0000600于是猜想程序段基址在0XB0000000这个位置,接下来就是用ghidra进行分析了

可以看到基本可以反编译了:

但是这里有个问题 可以发现有些地方还是0x8000000开头,同时字符串解引也失败了

于是我们把基址也改为这个值0X80000000

至此固件的主程序就基本提取完成了,就可以进行进一步的分析了

总结:

从开始的binwalk自动提取,到手动提取的转换,警醒着我们,脚本小子是成不了大牛的 得跳出自己的舒适圈

参考文章:

迅捷PoE*AC路由一体机FR100P-AC固件提取研究 (qq.com)

0 条评论
某人
表情
可输入 255
目录