那么,有可能应用他在固件中建议的内容然后更新路由器吗?
使用binwalk,显然该文件是ZynOS。但是,我真的不能像那里解释的那样提取签名,而且我真的不知道以后要做什么。
br />
~$ binwalk ras
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
84992 0x14C00 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 66824, compressed size: 16870, uncompressed checksum: 0xF480, compressed checksum: 0xF03A, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
85043 0x14C33 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 66824 bytes
128002 0x1F402 GIF image data, version "89a", 200 x 50
136194 0x21402 GIF image data, version "89a", 560 x 50
326749 0x4FC5D Copyright string: " (c) 2001 - 2011 TP-LINK TECHNOLOGIES CO., LTD.LOGIES CO., LTD."
349184 0x55400 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 55931, uncompressed checksum: 0xC892, compressed checksum: 0xC30C, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
349235 0x55433 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
405248 0x62F00 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 59174, uncompressed checksum: 0x8D2B, compressed checksum: 0x66BC, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
405299 0x62F33 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
464640 0x71700 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 52399, uncompressed checksum: 0xA2DE, compressed checksum: 0x917A, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
464691 0x71733 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
517120 0x7E400 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 63920, uncompressed checksum: 0xFEC9, compressed checksum: 0xA7FD, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
517171 0x7E433 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
581120 0x8DE00 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 54909, uncompressed checksum: 0xF811, compressed checksum: 0x3544, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
581171 0x8DE33 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
636160 0x9B500 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 61051, uncompressed checksum: 0x36F3, compressed checksum: 0x6A1, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
636211 0x9B533 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
697344 0xAA400 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 102400, compressed size: 54463, uncompressed checksum: 0x30D8, compressed checksum: 0x9AB9, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
697395 0xAA433 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 102400 bytes
751872 0xB7900 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 12440, compressed size: 6879, uncompressed checksum: 0x5C0A, compressed checksum: 0x1945, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
751923 0xB7933 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 12440 bytes
759040 0xB9500 ZynOS header, header size: 48 bytes, rom image type: ROMBIN, uncompressed size: 3914416, compressed size: 884839, uncompressed checksum: 0xA904, compressed checksum: 0x73E3, flags: 0xE0, uncompressed checksum is valid, the binary is compressed, compressed checksum is valid, memory map table address: 0x0
759091 0xB9533 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3914416 bytes
发现漏洞的那个人建议,图像中似乎没有Lzma压缩数据,而且只是明文中的大数据。 >
#1 楼
重要的是要知道并非所有的ZyNOS图像都是一样创建的,并且对piotrbania起作用的确切步骤(如您的问题所述)可能对您不起作用。操作系统,您可以将整个操作系统视为一个大内核(即,没有用户空间或文件系统,也没有类似的易于处理的东西)。取决于ZyNOS版本,编译器版本,编译器选项,目标体系结构等,即使是相同的源代码也可以编译为不同的字节和指令序列,并且不同的ZyNOS版本/风格可能会“打包”非常不同。 br />就您而言,我几乎可以保证那些LZMA签名是有效的,并且可能包含一些数据/代码。映像中也可能存在未压缩的原始代码(尝试使用binwalk -A搜索原始可执行代码)。
完成所需的一些常规步骤:
解压缩所有压缩块,并确定其中哪些包含可执行代码
反汇编所有代码(可能从未压缩的任何代码开始,因为它可能用于引导系统并解压缩固件的其他部分)
反汇编过程的一部分将是确定每个代码段的加载地址;没有这个,数据外部参照将毫无意义。在提示中查找对绝对内存地址的引用(例如,跳转到直接地址,函数表,跳转表等)。
现在,您可以开始实际地反转代码,寻找处理ras文件请求的代码。如果幸运的话,您将拥有一个反汇编程序无法理解的符号表,因此您必须编写脚本来解析符号表并重命名所有符号地址。如果不是很幸运,则必须手动识别功能。
一旦确定了需要修补的代码,就可以用类似于piotrbania的方式对其进行修补,尽管显然固件映像的细节可能略有不同。更新所有标头校验和,然后上传到您的设备,并希望它不会变成纸镇。 :)
因此,回答您的问题,是的,这当然是可能的。但是我不知道预构建的解决方案可以使您轻松提取/修补/重新构建固件,因此需要花费一些精力才能完成。显然,通过piotrbania的工作证明,对设备进行某种调试访问(例如UART或JTAG)将大有帮助。
评论
谢谢大家的答案。我想出了另一种使用CLI修复该问题的简便方法,并且我将其发布了egyptianvulture.blogspot.com/2014/06/…...因此,您无需再费劲了:
– Kifcaliph
2014年6月16日14:52
听到您对ZynOS的看法真棒,Craig!
–小工具
15年7月15日在3:57
#2 楼
您可以尝试使用firmware-mod-kit来查看是否还有进一步的改进,尽管firmware-mod-kit专为Linux而设计,因此可能无济于事。有时我发现它可以完成binwalk不能做的事情(反之亦然)此外,您可能想从最新的源构建
binwalk,然后再试一次。 #3 楼
这有点旧,但是我无法执行与OP相同的任务-也就是说,找不到能够正确解压缩ZyNOS固件更新映像的工具。所以我自己滚了。请抓取并在您的图片上尝试:https://github.com/dev-zzo/router-tools/blob/master/zynos.py
该工具目前不支持重新打包图像,但我正在处理它。
评论
也许发布binwalk的输出?我添加了binwalk输出