ááœááºáá²á·áá±á¬áááºá¡áááºážáááºá binwalk ááᯠá¡áá¯á¶ážááŒá¯á áá»áœááºá¯ááºá router á firmware ááᯠá¡ááºáá»ááºáá®áá¬áá»á¯ááºá០ááŒá±á¬ááºážááŒááºááŸááºááẠáá¯á¶ážááŒááºáá²á·áááºá
áá«ááá¯ááºááá¯ááºáááºáá²á·áááºá
Router á¡áá
áºáááºááá¯ááºáž install áá¯ááºáá«á
OpenWRT ááá¯áá±á«ááºážáá¯ááºáá¯ááºááŒá®ážá áá»áœááºáá±á¬áºáááºáž áá«áá«áááºá
Binwalk ááá¯áᬠáá¬áá²á
Craig Heffner á០2010 áá¯ááŸá áºááœáẠáááºáá®ážáá¬ážáá±á¬ binwalk ááẠfirmware áá¯á¶áá»á¬ážááᯠá áááºááºáááºáᬠááá¯ááºáá»á¬ážááᯠááŸá¬ááœá±ááá¯ááºáááºá ááá¯ááºá áá áºáá¯á¶áá»á¬ážááᯠáá±á¬áºáá¯ááºááŒá®áž áá¯ááºáá°ááá¯ááºáááºá á á®áá¶ááá¯ááºáá±á¬ áá¯ááºá áá»á¯á¶á·áá¬ážáá±á¬ áá±á¬áºááœááºážáá»á¬ážá bootloaders ááŸáá·áº kernelsá JPEG ááŸáá·áº PDF áá²á·ááá¯á·áá±á¬ ááá¯ááºáá±á¬áºáááºáá»á¬ážááŸáá·áº á¡ááŒá¬ážá¡áá¬áá»á¬ážá áœá¬ááᯠáá¯ááºáá°ááá¯ááºáá«áááºá
áááºážá¡áá¯ááºáá¯ááºáá¯á¶ááá¯áá¬ážáááºááẠbinwalk ááá¯áá¯á¶ážá firmware ááá¯ááŒá±á¬ááºážááŒááºá¡ááºáá»ááºáá®áá¬áá¯ááºááá¯ááºáááºá á¡á¬ážáááºážáá»ááºáá»á¬ážá¡ááœáẠbinary ááá¯ááºáá»á¬ážááᯠááŸá¬ááœá±áá«á ááá¯ááºáá»á¬ážááᯠáá¯ááºáá°ááŒá®áž backdoors ááá¯á·ááá¯áẠdigital áááºááŸááºáá»á¬ážááᯠááŸá¬ááœá±áá«á áááºááŸá¬ááœá±ááá¯ááºáááºá opcodes
ááá°áá®áá±á¬ CPU á¡áá»á¬ážá¡ááŒá¬ážá¡ááœááºá
áááºááŸááºáá¬ážáá±á¬ á áá¬ážááŸááºááá¯ááºáá»á¬áž (passwdá shadow á áááºááŒáá·áº) ááá¯ááŸá¬ááœá±ááẠááá¯ááºá áá áºáá¯á¶áá»á¬ážááᯠáá¯ááºáá°ááá¯ááºááŒá®áž á áá¬ážááŸáẠáááºááºáá»á¬ážááᯠááŒááºááẠááŒáá¯ážá á¬ážáá«á ááá¯ááºááŸá áºáᯠááá¯á·ááá¯áẠááá¯á·áááºááá¯áá±á¬ ááá¯ááºáá»á¬ážááŒá¬ážááœáẠbinary ááá¯ááºážááŒá¬ážááŸá¯ááᯠáááºáá¯ááºáá±á¬ááºááá¯ááºáááºá áá»á¯á¶á·áá¬ážáá±á¬áá±áᬠááá¯á·ááá¯áẠáá¯ááºáá¯ááºáá¬ážáá±á¬ áá¯ááºááŸááºááŒááºážáá±á¬á·áá»á¬ážááᯠááŸá¬ááœá±ááẠáá±áá¬áá±á«áºááœáẠá¡ááºáááá¯áá®ááœá²ááŒááºážá áááºááŒá¬ááŸá¯ááᯠáá¯ááºáá±á¬ááºááá¯ááºáááºá á€á¡áá¬á¡á¬ážáá¯á¶ážááẠsource code ááá¯áááºáá±á¬ááºáááºáááá¯á¡ááºáá²á
áá±áá°áá»á¡á¬ážááŒáá·áºá áááºážááá¯á¡ááºáá¬á¡á¬ážáá¯á¶ážááŸáááẠ:)
Binwalk áááºááá¯á¡áá¯ááºáá¯ááºááá²á
Binwalk áá¡áááá¡ááºá¹áá«áááºááŸá¬áááºážááááºááŸááºá áááºááºáááºááŒááºážááŒá áºáá«áááºá Binwalk ááẠá¡áá»áá¯ážáá»áá¯ážáá±á¬ built-in ááá¯ááºá¡áá»áá¯ážá¡á á¬ážáá»á¬ážááŸáá·áº ááá¯ááºá áá áºáá»á¬ážááᯠááŸá¬ááœá±ááẠfirmware áá¯á¶ááᯠá áááºááºáááºááá¯ááºáááºá
command line utility ááá¯áááºáááá«ááá¬ážá file
?
file /bin/bash
/bin/bash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=12f73d7a8e226c663034529c8dd20efec22dde54, stripped
á¡ááœá²á· file
ááá¯ááºáá±á«ááºážá
ááºááá¯ááŒáá·áºááŒá®áž ááá¯ááºá¡áá»áá¯ážá¡á
á¬ážááᯠáá¯á¶ážááŒááºááẠáááºááŸáẠ(ááŸá±á¬áºáá¶áá«ááº) ááᯠááŸá¬ááœá±áá«á á¥ááá¬á¡á¬ážááŒáá·áºá ááá¯ááºááẠbytes á sequence ááŒáá·áº á¡á
ááŒá¯áá«áá 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A
áááºážááẠPNG ááá¯ááºááŒá
áºááŒá±á¬ááºáž ááááŸááááºá ááááº
Binwalk ááẠááá¯áááºážá¡ááá¯ááºáž áá¯ááºáá±á¬ááºáááºá ááá¯á·áá±á¬áº ááá¯ááºáá¡á ááœááºáᬠáááºááŸááºáá»á¬ážááᯠááŸá¬ááá·áºá¡á á¬áž binwalk ááẠááá¯ááºáá áºáá¯áá¯á¶ážááᯠá áááºááºáááºáááºááŒá áºáááºá ááá¯á·á¡ááŒááºá binwalk ááẠáá¯á¶ááœááºááœá±á·ááá±á¬ááá¯ááºáá»á¬ážááᯠáá¯ááºáá°ááá¯ááºáááºá
áá°áááᬠfile
О binwalk
á
á¬ááŒáá·áºááá¯ááºááᯠá¡áá¯á¶ážááŒá¯ libmagic
ááá¯ááºáááºááŸááºáá»á¬ážááᯠáá±á¬áºáá¯ááºáááºá áá«áá±ááá·áº binwalk
ááá¯á·á¡ááŒáẠcompressed/zipped ááá¯ááºáá»á¬ážá firmware áá±á«ááºážá
á®ážáá»á¬ážá Linux kernelsá bootloadersá filesystems á
áááºááá¯á·ááᯠááŸá¬ááœá±ááẠá
áááºááŒáá¯ááºááŸá±á¬áºáááºááŸááºáá»á¬ážá
á¬áááºážááᯠáá¶á·ááá¯ážáá±ážáá«áááºá
á¡áá»á±á¬áºáá±ážáá¯ááºáá¡á±á¬ááºáá¬ážá
Binwalk áááºáááºááŒááºážá
Binwalk ááᯠLinuxá OSXá FreeBSD ááŸáá·áº Windows á¡áá«á¡ááẠááááºáá±á¬ááºážáá»á¬ážá áœá¬ááœáẠáá¶á·ááá¯ážáá¬ážáááºá
binwalk ááá±á¬ááºáá¯á¶ážááœááºáá¬ážááŸááºážááᯠááá·áºááœááºážááẠáááºáá¯ááºáá±á¬ááºááá¯ááºáááºá
Binwalk ááœáẠááá°áá®áá±á¬ ááá·áºáááºáá»ááºáá»á¬áž á¡áá»á¬ážá¡ááŒá¬ážááŸááááºá
$ binwalk
Binwalk v2.2.0
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port
áá¯á¶á áááºááºáááºááŒááºážá
áá¯á¶á¡ááœááºážááŸá ááá¯ááºáááºááŸááºáá»á¬ážááᯠááŸá¬ááœá±ááŒááºážááŒáá·áº á
áááºááŒáá«á
áá¯á· (ááá¯ááºá០áá¯á¶
--signature parameter ááŒáá·áº binwalk ááᯠáááºáááºáá±áááº-
$ binwalk --signature --term archer-c7.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------
21876 0x5574 U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May
20 2019 - 18:45:16)"
21940 0x55B4 CRC32 polynomial table, big endian
23232 0x5AC0 uImage header, header size: 64 bytes, header CRC:
0x386C2BD5, created: 2019-05-20 10:45:17, image size:
41162 bytes, Data Address: 0x80010000, Entry Point:
0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS,
image type: Firmware Image, compression type: lzma, image
name: "u-boot image"
23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size:
8388608 bytes, uncompressed size: 97476 bytes
64968 0xFDC8 XML document, version: "1.0"
78448 0x13270 uImage header, header size: 64 bytes, header CRC:
0x78A267FF, created: 2019-07-26 07:46:14, image size:
1088500 bytes, Data Address: 0x80060000, Entry Point:
0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS,
image type: Multi-File Image, compression type: lzma,
image name: "MIPS OpenWrt Linux-3.3.8"
78520 0x132B8 LZMA compressed data, properties: 0x6D, dictionary size:
8388608 bytes, uncompressed size: 3164228 bytes
1167013 0x11CEA5 Squashfs filesystem, little endian, version 4.0,
compression:xz, size: 14388306 bytes, 2541 inodes,
blocksize: 65536 bytes, created: 2019-07-26 07:51:38
15555328 0xED5B00 gzip compressed data, from Unix, last modified: 2019-07-26
07:51:41
ááᯠáá»áœááºá¯ááºááá¯á·ááœáẠá€áá¯á¶ááŸáá·áºáááºáááºááá·áº á¡áá»ááºá¡áááºáá»á¬ážá áœá¬ááŸááááºá
áá¯ááºáá¯á¶á¡áá¯á¶ážááŒá¯áááºá 0x5AC0
ááŸáá·áº compressed bootloader image at 0x5B00
) 0x13270 ááŸá uImage áá±á«ááºážá
á®ážá¡áá±á«áº á¡ááŒá±áá¶á áááá¯áááºáᬠáááá¯áá¬áááºáá¬ááẠMIPS ááŒá
áºááŒá®áž Linux kernel ááẠáá¬ážááŸááºáž 3.3.8 ááŒá
áºááŒá±á¬ááºáž áá»áœááºá¯ááºááá¯á· áááá«áááºá ááááºá
á¬ááŸá¬ ááœá±á·ááá²á· áá¯á¶áá±á«áºá¡ááŒá±áá¶áá«áááºá 0x11CEA5
á¡á²áá«ááᯠáá»áœááºáá±á¬áºááá¯á· ááŒááºááá¯ááºáááºá rootfs
ááá¯ááºá
áá
áºáá
áºáá¯ááŒá
áºáááºá squashfs
.
Command ááá¯áá¯á¶ážááŒá®áž Bootloader (U-Boot) ááᯠááŒááºááá¯ááºááŒáá¡á±á¬áẠdd
:
$ dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=41162
41162+0 records in
41162+0 records out
41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/s
áá¯á¶á¡á¬áž LZMA ááᯠá¡áá¯á¶ážááŒá¯á áá»á¯á¶á·áá¬ážáá±á¬ááŒá±á¬áá·áºá áááºážááᯠáá»á¯á¶á·ááẠááá¯á¡ááºáááº-
$ unlzma u-boot.bin.lzma
ááᯠáá»áœááºá¯ááºááá¯á·ááœáẠU-Boot áá¯á¶áá áºáá¯ááŸááááºá
$ ls -l u-boot.bin
-rw-rw-r-- 1 sprado sprado 97476 Fev 5 08:48 u-boot.bin
áá¯á¶áá±áááºááá¯ážááᯠáááºááá¯ááŸá¬ááá²á bootargs
?
$ strings u-boot.bin | grep bootargs
bootargs
bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M
U-Boot Environment Variable bootargs
ááá·áºáááºáá»ááºáá»á¬ážááᯠLinux kernel ááá¯á·áá±ážááá¯á·áááºá¡áá¯á¶ážááŒá¯áááºá á¡áááºáá±á¬áºááŒáá«á¡áá»ááºáá»á¬ážááŸá áá»áœááºá¯ááºááá¯á·ááẠá
ááºáá
á¹á
ááºážá flash memory ááᯠááá¯ááá¯áá±á¬ááºážááœááºá
áœá¬ áá¬ážáááºááá±á¬áá±á«ááºáá¬ážáá«áááºá
Linux kernel image ááᯠáááºááᯠááŒááºááá²á
$ dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=1088572
1088572+0 records in
1088572+0 records out
1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/s
á¡áááá·áºááᯠá¡áá¯á¶ážááŒá¯á áá¯á¶á¡á¬áž á¡á±á¬ááºááŒááºá
áœá¬ áá¯ááºáá°áá¬ážááŒá±á¬ááºáž á
á
áºáá±ážááá¯ááºáá«áááºá file
:
$ file uImage
uImage: u-boot legacy uImage, MIPS OpenWrt Linux-3.3.8, Linux/MIPS, Multi-File Image (lzma), 1088500 bytes, Fri Jul 26 07:46:14 2019, Load Address: 0x80060000, Entry Point: 0x80060000, Header CRC: 0x78A267FF, Data CRC: 0xBB9D4F94
uImage ááá¯ááºáá±á¬áºáááºááẠá¡ááŒá±áá¶á¡á¬ážááŒáá·áº á¡ááá¯áá±á«ááºážá á®ážáá áºáá¯áá«ááŸááá±á¬ Linux kernel áá¯á¶ááŒá áºáááºá áá±á¬ááºáá¯á¶áž Linux kernel áá¯ááºáá¯á¶áááẠá€áá±á«ááºážá á®ážááᯠáááºááŸá¬ážááá¯ááºááŒáá«á áá¯á·á
$ dd if=uImage of=Image.lzma bs=1 skip=72
1088500+0 records in
1088500+0 records out
1088500 bytes (1,1 MB, 1,0 MiB) copied, 1,65603 s, 657 kB/s
áá¯á¶á¡á¬áž ááááááºáá¬ážáá±á¬ááŒá±á¬áá·áº áá¯ááºááá¯ážááá¯ááºááŒáá«á áá¯á·á
$ unlzma Image.lzma
ááᯠáá»áœááºá¯ááºááá¯á·ááœáẠLinux kernel áá¯á¶áá áºáá¯ááŸááááº-
$ ls -la Image
-rw-rw-r-- 1 sprado sprado 3164228 Fev 5 10:51 Image
kernel áá¯á¶ááŒáá·áº áá»áœááºá¯ááºááá¯á· áá¬áá¯ááºááá¯ááºááááºážá á¥ááá¬á¡á¬ážááŒáá·áºá áá»áœááºá¯ááºááá¯á·ááẠáá¯á¶ááŸá á á¬ááŒá±á¬ááºážááŸá¬ááœá±ááŸá¯ááᯠááŒá¯áá¯ááºááá¯ááºááŒá®áž Linux kernel áá¬ážááŸááºážááᯠááŸá¬ááœá±áᬠkernel áááºáá±á¬ááºáá¬ááœáẠá¡áá¯á¶ážááŒá¯ááá·áº áááºáááºážáá»ááºá¡ááŒá±á¬ááºáž áá±á·áá¬ááá¯ááºáááº-
$ strings Image | grep "Linux version"
Linux version 3.3.8 (leo@leo-MS-7529) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Mon May 20 18:53:02 CST 2019
firmware ááá¯áááŸá
áºá (2019) ááŸá¬ááœááºááŸááá²á·áá±ááá·áºáááºáž áá®áá±á¬ááºážáá«ážááá¯áá±ážááá¯ááºáá¬áá²á· 3.3.8 áá¯ááŸá
áºááŸá¬ááœááºááŸááá¬ážáá²á· Linux kernel (2012) áá¬ážááŸááºážáá±á¬ááºážááᯠá¡áá¯á¶ážááŒá¯áá±ááŒá®áž 4.6 áá¯ááŸá
áºááááºážá á¡ááœááºáá±á¬ááºážáá±áá²á· GCC (2012) áá¬ážááŸááºážáá²á·áááºáž á
á¯á
ááºážáá¬ážáá«áááºá !
(á¡áá®ážá
ááºáá¯á¶áž áá¬áá¬ááŒááºááá¯áá»ááºá ááá·áº router áá»á¬ážááᯠáá¯á¶ážááŸáá·áºá¡áááºááœáẠáá¯á¶ááŒááºáá²ááŸááá«ááá¬ážá)
ááœá±ážáá»ááºááŸá¯ááŸáá·áºá¡áá° --opcodes
á
ááºááœáŸááºááŒá¬ážáá»ááºáá»á¬ážááá¯ááŸá¬ááœá±áááºááŸáá·áº áá¯á¶ááááá¯áááºáá¬áááá¯áá¬ááá¯áá¯á¶ážááŒááºááẠbinwalk ááá¯á¡áá¯á¶ážááŒá¯ááá¯ááºáááºá
$ binwalk --opcodes Image
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2400 0x960 MIPS instructions, function epilogue
2572 0xA0C MIPS instructions, function epilogue
2828 0xB0C MIPS instructions, function epilogue
root file system áá±á¬ áááºááá¯áá²á áá¯á¶ááᯠááá¯ááºááá¯áẠááŒááºááá·áºá¡á
á¬ážá ááœá±ážáá»ááºááœáá·áºááᯠáá¯á¶ážááŒáá«á
áá¯á· binwalk --extract
:
$ binwalk --extract --quiet archer-c7.bin
ááŒá®ážááŒáá·áºá á¯á¶áá±á¬ root ááá¯ááºá áá áºá¡á¬áž áááºážááŒá±á¬ááºážááœá²áá áºáá¯ááá¯á· áá¯ááºáá°ááœá¬ážáá«áááºá
$ cd _archer-c7.bin.extracted/squashfs-root/
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cat etc/banner
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (%C, %R)
---------------------------------------------------------------
ááᯠáá»áœááºá¯ááºááá¯á·ááẠááá°áá®áá±á¬á¡áá¬áá»á¬ážá áœá¬ááᯠáá¯ááºáá±á¬ááºááá¯ááºááŒá®ááŒá áºáááºá
áá»áœááºá¯ááºááá¯á·ááẠááœá²á·á
ááºážááŸá¯áá¯á¶á
á¶ááá¯ááºáá»á¬ážá á
áá¬ážááŸáẠáááºááºáá»á¬ážá áá¯ááºááŸááºáá®ážáá»á¬ážááŸáá·áº áá
áºáá»á
áºáááºáááºááŸááºáá»á¬ážááᯠááŸá¬ááœá±ááá¯ááºáááºá áá»áœááºá¯ááºááá¯á·ááẠbinary ááá¯ááºáá»á¬ážááá¯ááœá²ááŒááºážá
áááºááŒá¬ááá¯ááºáááºá
ááŸáá·áº
$ ls
bin dev etc lib mnt overlay proc rom root sbin sys tmp usr var www
$ cp /usr/bin/qemu-mips-static .
$ sudo chroot . ./qemu-mips-static bin/busybox
BusyBox v1.19.4 (2019-05-20 18:13:49 CST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, adduser, arping, ash, awk, basename, cat, chgrp, chmod, chown, chroot, clear, cmp, cp, crond, crontab, cut, date, dd, delgroup, deluser, dirname, dmesg, echo, egrep, env, expr, false,
fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, id, ifconfig, init, insmod, kill, killall, klogd, ln, lock, logger, ls, lsmod, mac_addr, md5sum, mkdir, mkfifo, mknod, mktemp,
mount, mv, nice, passwd, pgrep, pidof, ping, ping6, pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh, sleep, sort, start-stop-daemon, strings,
switch_root, sync, sysctl, tail, tar, tee, telnet, test, tftp, time, top, touch, tr, traceroute, true, udhcpc, umount, uname, uniq, uptime, vconfig, vi, watchdog, wc, wget, which, xargs, yes, zcat
ááá¯ááºáááº! ááá¯á·áá±á¬áº BusyBox áá¬ážááŸááºážááẠ1.19.4 ááŒá áºááŒá±á¬ááºáž áá»á±ážáá°ážááŒá¯á áááááŒá¯áá«á áááºážááẠBusyBox á á¡ááœááºáá±á¬ááºážáá±á¬ áá¬ážááŸááºážááŒá áºáááºáá§ááŒá®á 2012 ááœááºááœááºááŸááá²á·áááºá
ááá¯á·ááŒá±á¬áá·áº TP-Link ááẠ2019 á០áá±á¬á·ááºáá²áẠ(GCC toolchainá kernelá BusyBox á áááºááŒáá·áº) ááᯠá¡áá¯á¶ážááŒá¯á 2012 ááœáẠfirmware áá¯á¶áá áºáá¯á¶ááᯠáá¯ááºááŒááºáá²á·áááºá
áá»áœááºá¯ááºá routers áá»á¬ážááœáẠOpenWRT ááᯠáá¬ááŒá±á¬áá·áº á¡ááŒá²ááá·áºááœááºážáá±ááááºááᯠááᯠáá¬ážáááºáá«ááá¬ážá
áá«á¡áá¯ááºááá¯ááºáá°ážá
Binwalk ááẠentropy ááœá²ááŒááºážá áááºááŒá¬ááŒááºážá áá¯ááºááŒááºáž entropy data ááᯠprint áá¯ááºááŒááºážááŸáá·áº entropy ááááºáá»á¬ážááá¯áá¯ááºáá±ážááá¯ááºáááºá áá¯á¶ááŸááºá¡á¬ážááŒáá·áºá áá¯á¶ááŸá bytes áá»á¬ážááᯠáá»áááºážááŒá áºááá·áºá¡áá« ááá¯áááŒá®ážáá±á¬ entropy ááᯠáááááŒá¯áááááºá áááºážááẠáá¯á¶ááœáẠáá¯ááºááŸááºáá¬ážáá±á¬á áá»á¯á¶á·áá¬ážáá±á¬ ááá¯á·ááá¯áẠááŸá¯ááºááœá±ážáá±áá±á¬ ááá¯ááºáá áºáᯠáá«áááºáá±áááºáᯠááá¯ááá¯ááá¯ááºáááºá Hardcore áá¯ááºááŸááºááŒááºážáá®ážáá¬ážá áá¬ááá¯á·áááŒá áºáááá²á
Parameter ááá¯áááºáž áá¯á¶ážááá¯ááºáá«áááºá --raw
áá¯á¶ ááá¯á·ááá¯áẠááá·áºáááºáá±á¬ááºáá
áºáá¯ááŸá á
áááºááŒáá¯ááºáá¯ááºááŒááºáž byte á¡ááœá²ááᯠááŸá¬ááẠ--hexdump
ááŸá
áºáᯠááá¯á·ááá¯áẠááá¯á·áááºááá¯áá±á¬ input ááá¯ááºáá»á¬ážááᯠááŸáá¯ááºážááŸááºááá·áº hex dump ááá¯áá¯ááºáá±á¬ááºáááºá
--magic
ááá¯á·ááá¯áẠáááºážááá¯á·ááᯠáááºážááœáŸááºááœáẠááá·áºááŒááºážááŒáá·áº $ HOME / .config / binwalk / magic
.
binwalk á áá±á¬ááºáááºá¡áá»ááºá¡áááºáá»á¬ážááᯠááœáẠáááºááŸá¬ááœá±ááá¯ááºáá«áááºá
binwalk ááá¯ážáá»á²á·ááŸá¯
á¡á²áá®ááŸá¬
import binwalk
binwalk.scan()
Python API ááᯠá¡áá¯á¶ážááŒá¯ááááºáž áááºáá®ážááá¯ááºáááºá
áááºáž ááŸááá±áááºá
ááá¯á·ááŒá±á¬áá·áº áááºááẠá¡ááºáá¬áááºá០Firmware áá¯á¶á¡á¬áž áá±á«ááºážáá¯ááºáá¯ááºááŒá®áž binwalk ááᯠá¡áááºááŒá±á¬áá·áº á ááºážáá¯á¶ážááŒáá·áºááááºážá á¡áááºážáá»á±á¬áºááá¯á·áá±á¬ááºážáááºááá¯á· ááááá±ážáá«ááẠ:)
source: www.habr.com