Cúpla lá ó shin, chinn mé ar fhirmware mo ródaire a aisiompú trí úsáid a bhaint as binwalk.
Cheannaigh mé mé féin
Gach uair a cheannaím ródaire nua, déanaim a shuiteáil
Tar éis OpenWRT a íoslódáil, rinne mé freisin
Cad is cosán bruscair ann?
Cruthaithe in 2010 ag Craig Heffner, is féidir le binwalk íomhánna firmware a scanadh agus comhaid a aimsiú, íomhánna córas comhaid a aithint agus a bhaint, cód inrite, cartlanna comhbhrúite, lódairí tosaithe agus eithne, formáidí comhaid ar nós JPEG agus PDF, agus go leor eile.
Is féidir leat binwalk a úsáid chun an firmware a aisiompú chun tuiscint a fháil ar an gcaoi a n-oibríonn sé. Cuardaigh comhaid dhénártha le haghaidh leochaileachtaí, bain comhaid as, agus breathnaigh ar chúldoirse nó deimhnithe digiteacha. Is féidir leat a fháil freisin opcodes
le haghaidh a lán LAPanna éagsúla.
Is féidir leat íomhánna córas comhaid a bhaint as chun comhaid phasfhocal ar leith a chuardach (passwd, scáth, etc.) agus iarracht a dhéanamh hashes pasfhocail a bhriseadh. Is féidir leat parsáil dhénártha a dhéanamh idir dhá chomhad nó níos mó. Is féidir leat anailís eantrópachta a dhéanamh ar shonraí chun sonraí comhbhrúite nó eochracha criptithe ionchódaithe a lorg. Seo go léir gan an gá le rochtain a fháil ar an cód foinse.
Go ginearálta, tá gach rud atá uait ann :)
Conas a oibríonn binwalk?
Is é príomhghné na bruscair a scanadh sínithe. Is féidir le Binwalk íomhá an fhirmware a scanadh chun cineálacha éagsúla comhaid agus córais comhaid ionsuite a chuardach.
An bhfuil a fhios agat an áirgiúlacht líne ordaithe file
?
file /bin/bash
/bin/bash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=12f73d7a8e226c663034529c8dd20efec22dde54, stripped
Foireann file
féachann sé ar cheanntásc an chomhaid agus lorgaíonn síniú (uimhir draíochta) chun an cineál comhaid a chinneadh. Mar shampla, má thosaíonn an comhad le seicheamh na mbeart 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A
, tá a fhios aige gur comhad PNG é. Ar
Oibríonn Binwalk ar an mbealach céanna. Ach in ionad sínithe a lorg ag tús an chomhaid amháin, déanfaidh binwalk an comhad iomlán a scanadh. Ina theannta sin, is féidir le binwalk comhaid a fhaightear san íomhá a bhaint as.
Uirlisí file
и binwalk
an leabharlann a úsáid libmagic
chun sínithe comhaid a aithint. Ach binwalk
Chomh maith leis sin tacaíonn sé le liosta sínithe draíochta saincheaptha chun cuardach a dhéanamh ar chomhaid chomhbhrúite/zipped, ceanntásca firmware, kernels Linux, bootloaders, córais comhaid agus mar sin de.
A ligean ar roinnt spraoi?
Suiteáil binwalk
Tacaítear le Binwalk ar ardáin iolracha lena n-áirítear Linux, OSX, FreeBSD agus Windows.
Chun an leagan is déanaí de binwalk a shuiteáil is féidir leat
Tá go leor paraiméadair éagsúla ag Binwalk:
$ binwalk
Binwalk v2.2.0
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port
Scanadh íomhánna
Tosaímid trí shínithe comhaid a chuardach taobh istigh den íomhá (íomhá ón suíomh
Rith cosán bruscair leis an pharaiméadar --signature:
$ binwalk --signature --term archer-c7.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------
21876 0x5574 U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May
20 2019 - 18:45:16)"
21940 0x55B4 CRC32 polynomial table, big endian
23232 0x5AC0 uImage header, header size: 64 bytes, header CRC:
0x386C2BD5, created: 2019-05-20 10:45:17, image size:
41162 bytes, Data Address: 0x80010000, Entry Point:
0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS,
image type: Firmware Image, compression type: lzma, image
name: "u-boot image"
23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size:
8388608 bytes, uncompressed size: 97476 bytes
64968 0xFDC8 XML document, version: "1.0"
78448 0x13270 uImage header, header size: 64 bytes, header CRC:
0x78A267FF, created: 2019-07-26 07:46:14, image size:
1088500 bytes, Data Address: 0x80060000, Entry Point:
0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS,
image type: Multi-File Image, compression type: lzma,
image name: "MIPS OpenWrt Linux-3.3.8"
78520 0x132B8 LZMA compressed data, properties: 0x6D, dictionary size:
8388608 bytes, uncompressed size: 3164228 bytes
1167013 0x11CEA5 Squashfs filesystem, little endian, version 4.0,
compression:xz, size: 14388306 bytes, 2541 inodes,
blocksize: 65536 bytes, created: 2019-07-26 07:51:38
15555328 0xED5B00 gzip compressed data, from Unix, last modified: 2019-07-26
07:51:41
Anois tá go leor eolais againn faoin íomhá seo.
Úsáideann Íomhá 0x5AC0
agus íomhá bootloader comhbhrúite ag 0x5B00
). Bunaithe ar an gceanntásc uImage ag 0x13270, tá a fhios againn gurb é MIPS ailtireacht an phróiseálaí agus gurb é an eithne Linux leagan 3.3.8. Agus bunaithe ar an íomhá le fáil ag an seoladh 0x11CEA5
, is féidir linn é sin a fheiceáil rootfs
Is córas comhaid é squashfs
.
Lig dúinn anois an bootloader (U-Boot) a bhaint as an ordú dd
:
$ dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=41162
41162+0 records in
41162+0 records out
41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/s
Ós rud é go bhfuil an íomhá comhbhrúite ag baint úsáide as LZMA, ní mór dúinn a dhí-chomhbhrú:
$ unlzma u-boot.bin.lzma
Anois tá íomhá U-Boot againn:
$ ls -l u-boot.bin
-rw-rw-r-- 1 sprado sprado 97476 Fev 5 08:48 u-boot.bin
Conas an luach réamhshocraithe a aimsiú le haghaidh bootargs
?
$ strings u-boot.bin | grep bootargs
bootargs
bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M
Timpeallacht Athraitheach U-Boot bootargs
a úsáidtear chun paraiméadair a chur ar aghaidh chuig an eithne Linux. Agus ón méid thuas, tá tuiscint níos fearr againn ar chuimhne flash an fheiste.
Cad faoi íomhá eithne Linux a bhaint as?
$ dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=1088572
1088572+0 records in
1088572+0 records out
1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/s
Is féidir linn a sheiceáil gur baineadh an íomhá go rathúil ag baint úsáide as an ordú file
:
$ file uImage
uImage: u-boot legacy uImage, MIPS OpenWrt Linux-3.3.8, Linux/MIPS, Multi-File Image (lzma), 1088500 bytes, Fri Jul 26 07:46:14 2019, Load Address: 0x80060000, Entry Point: 0x80060000, Header CRC: 0x78A267FF, Data CRC: 0xBB9D4F94
Go bunúsach is íomhá eithne Linux é formáid comhaid uImage le ceanntásc breise. Bainimis an ceanntásc seo chun an íomhá eithne Linux deiridh a fháil:
$ dd if=uImage of=Image.lzma bs=1 skip=72
1088500+0 records in
1088500+0 records out
1088500 bytes (1,1 MB, 1,0 MiB) copied, 1,65603 s, 657 kB/s
Tá an íomhá comhbhrúite, mar sin déanaimis é a dhíphacáil:
$ unlzma Image.lzma
Anois tá íomhá eithne Linux againn:
$ ls -la Image
-rw-rw-r-- 1 sprado sprado 3164228 Fev 5 10:51 Image
Cad is féidir linn a dhéanamh leis an íomhá eithne? D’fhéadfaimis, mar shampla, cuardach teaghrán a dhéanamh san íomhá agus an leagan den eithne Linux a aimsiú agus foghlaim faoin timpeallacht a úsáidtear chun an eithne a thógáil:
$ strings Image | grep "Linux version"
Linux version 3.3.8 (leo@leo-MS-7529) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Mon May 20 18:53:02 CST 2019
Cé gur scaoileadh an firmware anuraidh (2019), agus an t-alt seo á scríobh agam tá sé ag baint úsáide as seanleagan den eithne Linux (3.3.8) a scaoileadh in 2012, arna thiomsú le leagan an-sean de GCC (4.6) ó 2012 freisin. !
(thart. transl. an bhfuil muinín agat as do ródairí fós san oifig agus sa bhaile?)
Le rogha --opcodes
is féidir linn binwalk a úsáid freisin chun treoracha meaisín a chuardach agus ailtireacht phróiseálaí na híomhá a chinneadh:
$ binwalk --opcodes Image
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2400 0x960 MIPS instructions, function epilogue
2572 0xA0C MIPS instructions, function epilogue
2828 0xB0C MIPS instructions, function epilogue
Cad mar gheall ar an gcóras comhad fréimhe? In ionad an íomhá a bhaint de láimh, bainimis úsáid as an rogha binwalk --extract
:
$ binwalk --extract --quiet archer-c7.bin
Bainfear an córas fréimhe iomlán chuig fochomhadlann:
$ cd _archer-c7.bin.extracted/squashfs-root/
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cat etc/banner
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (%C, %R)
---------------------------------------------------------------
Anois is féidir linn a lán rudaí éagsúla a dhéanamh.
Is féidir linn comhaid chumraíochta, hashes pasfhocail, eochracha cripteagrafacha agus deimhnithe digiteacha a chuardach. Is féidir linn anailís a dhéanamh ar chomhaid dhénártha le haghaidh
Le
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cp /usr/bin/qemu-mips-static .
$ sudo chroot . ./qemu-mips-static bin/busybox
BusyBox v1.19.4 (2019-05-20 18:13:49 CST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, arping, ash, awk, basename, cat, chgrp, chmod, chown, chroot, clear, cmp, cp, crond, crontab, cut, date, dd, delgroup, deluser, dirname, dmesg, echo, egrep, env, expr, false,
fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, id, ifconfig, init, insmod, kill, killall, klogd, ln, lock, logger, ls, lsmod, mac_addr, md5sum, mkdir, mkfifo, mknod, mktemp,
mount, mv, nice, passwd, pgrep, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh, sleep, sort, start-stop-daemon, strings,
switch_root, sync, sysctl, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, udhcpc, umount, uname, uniq, uptime, vconfig, vi, watchdog, wc, wget, which, xargs, yes, zcat
Go hiontach! Ach tabhair faoi deara go bhfuil leagan BusyBox 1.19.4. Is leagan an-sean é seo de BusyBox, a eisíodh i mí Aibreáin 2012.
Mar sin scaoileann TP-Link íomhá firmware in 2019 ag baint úsáide as bogearraí (uirlisí GCC, eithne, BusyBox, etc.) ó 2012!
Anois an dtuigeann tú cén fáth a shuiteálann mé OpenWRT ar mo ródairí i gcónaí?
Ní hé sin go léir
Is féidir le Binwalk anailís eantrópachta a dhéanamh, sonraí amha eantrópachta a phriontáil, agus graif eantrópachta a ghiniúint. De ghnáth, breathnaítear eantrópacht níos mó nuair a bhíonn na bearta san íomhá randamach. D’fhéadfadh go gciallódh sé seo go bhfuil comhad criptithe, comhbhrúite nó fuascailte san íomhá. Eochair chriptithe hardcore? Cén fáth nach bhfuil.
Is féidir linn an paraiméadar a úsáid freisin --raw
chun seicheamh beart amh saincheaptha a fháil in íomhá nó i bparaiméadar --hexdump
chun dumpáil heicsidheachúil a dhéanamh i gcomparáid le dhá chomhad ionchuir nó níos mó.
--magic
, nó trí iad a chur leis an eolaire $ HOME / .config / binwalk / magic
.
Is féidir leat tuilleadh eolais a fháil faoi bhosca bruscair ag
síneadh binwalk
Tá
import binwalk
binwalk.scan()
Ag baint úsáide as an API Python is féidir leat a chruthú freisin
Tá freisin
Mar sin cén fáth nach n-íoslódálann tú an íomhá firmware ón Idirlíon agus triail a bhaint as binwalk? Geallaim duit go mbeidh an-spraoi agat :)
Foinse: will.com