在遵循了本教程之后,我决定尝试对路由器的固件进行反向工程。我的路由器是TP-Link TD-W8961N,固件版本是V2。固件不包含任何明显的文件系统,引导加载程序或可提取的内核。

从binwalk分析来看,路由器似乎在MIPS架构上运行ThreadX。

执行binwalk -eM TDW8961N,我得到

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
63643         0xF89B          ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
63892         0xF994          ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
85043         0x14C33         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 66696 bytes
118036        0x1CD14         Unix path: /usr/share/tabset/vt100:\
118804        0x1D014         ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
118824        0x1D028         ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 16
128002        0x1F402         GIF image data, version "89a", 200 x 50
136194        0x21402         GIF image data, version "89a", 560 x 50
253333        0x3DD95         Neighborly text, "neighbor of your ADSL Router that will forward the packet to the destination. On the LAN, the gateway </font>e destination. On the LAN, the gateway </font>"
349586        0x55592         Copyright string: "Copyright (c) 2001 - 2015 TP-LINK TECHNOLOGIES CO., LTD."
386471        0x5E5A7         Copyright string: "Copyright &copy; 2015 TP-LINK Technologies Co., Ltd. All rights reserved."
386489        0x5E5B9         TP-Link firmware header, firmware version: 17256.26992.22113, image version: " Co., Ltd. All rights reserved.", product ID: 0x6E42746E, product version: 1131375727, kernel load address: 0x72002223, kernel entry point: 0x46463939, kernel offset: 4475203, kernel length: 1347765096, rootfs offset: 1768969317, rootfs length: 2020868163, bootloader offset: 1347747908, bootloader length: 1229148245
806847        0xC4FBF         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2853276 bytes


Scan Time:     2016-10-07 22:29:27
Target File:   /home/aaron/Desktop/tools/firmware/TD-W8961N/_TD-W8961N-0.extracted/14C33
MD5 Checksum:  feac8e40efcca119826f811501b36502
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------


Scan Time:     2016-10-07 22:29:27
Target File:   /home/aaron/Desktop/tools/firmware/TD-W8961N/_TD-W8961N-0.extracted/C4FBF
MD5 Checksum:  78c0c10cba8fba3ce1c194461ac40fa4
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2141288       0x20AC68        Neighborly text, "neighbor loss) fail"
2144380       0x20B87C        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 8313
2157896       0x20ED48        Neighborly text, "neighbordown: can't shutdown OSPF task completely"
2168474       0x21169A        ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 769, uncompressed size: 259, data offset from start of block: 28805
2249704       0x2253E8        HTML document footer
2250021       0x225525        HTML document header
2253724       0x22639C        XML document, version: "1.0"
2320029       0x23669D        Base64 standard index table
2332534       0x239776        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2332646       0x2397E6        Copyright string: "Copyright (c) 1994 - 2004 ZyXEL Communications Corp."
2332699       0x23981B        Copyright string: "Copyright (c) 2001 - 2006 TrendChip Technologies Corp."
2332754       0x239852        Copyright string: "Copyright (c) 2001 - 2006 "
2333095       0x2399A7        ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 0, data offset from start of block: 16
2344978       0x23C812        eCos RTOS string reference: "ecost"
2393676       0x24864C        SHA256 hash constants, big endian
2395752       0x248E68        Base64 standard index table
2436753       0x252E91        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 135
2454640       0x257470        ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 25972, uncompressed size: 11886, data offset from start of block: 131
2495500       0x26140C        Base64 standard index table
2537620       0x26B894        XML document, version: "1.0"
2544124       0x26D1FC        XML document, version: "1.0"
2545312       0x26D6A0        XML document, version: "1.0"
2546280       0x26DA68        XML document, version: "1.0"
2551100       0x26ED3C        XML document, version: "1.0"
2555276       0x26FD8C        XML document, version: "1.0"
2558548       0x270A54        XML document, version: "1.0"
2563936       0x271F60        XML document, version: "1.0"
2569916       0x2736BC        XML document, version: "1.0"
2572052       0x273F14        XML document, version: "1.0"
2579160       0x275AD8        XML document, version: "1.0"
2595692       0x279B6C        XML document, version: "1.0"
2605172       0x27C074        XML document, version: "1.0"
2613932       0x27E2AC        XML document, version: "1.0"
2615368       0x27E848        XML document, version: "1.0"
2627752       0x2818A8        XML document, version: "1.0"
2648491       0x2869AB        Copyright string: "copyright"
2658067       0x288F13        Copyright string: "copyright" >"
2759380       0x2A1AD4        CRC32 polynomial table, big endian
2827145       0x2B2389        Unix path: /wifi_uni_mac/ROM/nic/hal/MT7603/hal_rom.c
2827593       0x2B2549        Unix path: /wifi_uni_mac/ROM/nic/hal/MT7603/hal_pwr_mgt_rom.c
2828329       0x2B2829        Unix path: /wifi_uni_mac/mgmt/mt7603/rlm_phy.c
2828385       0x2B2861        Unix path: /wifi_uni_mac/mgmt/mt7603/rlm_sensor.c
2852324       0x2B85E4        Copyright string: "Copyright (c) 1996-2010 Express Logic Inc. * ThreadX MIPS32_34Kx/Green Hills Version G5.4.5.0 SN: 3182-197-0401 *"


这将创建两个文件14C33,在运行binwalk时不给出任何结果,而C4FBF则给出类似的结果输出为binwalk TDW8961N。它还会创建许多相似的xml文件。

我在十六进制编辑器中打开了文件14C33和C4FBF,并注意到前两个字节是3C 08。在这两个文件上运行file会返回14C33: data C4FBF: data

我用Google搜索了这两个字节,并转到此页面,发现zlib流可以以08 3C开头,尽管并不常见。读取此内容后,我更改了前两个字节,以使它们读取08 3C并返回file 14C33返回14C33: zlib compressed data

我对文件C4FBF做了同样的事情,当我尝试对其进行解压缩时,失败。使用gzip,我得到unknown suffix -- ignored。我也尝试过uncompress和pigz,但是它们给出了类似的错误。另外,我不明白为什么同时引用了eCos和ThreadX OS。对于引导加载程序和内核偏移量,是将引导加载程序和内核加载到内存时的偏移量吗? html#Firmware

评论

嗨,亚伦·加顿,我拥有TD-W8961N v2,如果您成功提取TD-W8961N的文件系统,我想编辑固件,请发送文件给我

#1 楼

我找到了答案。

路由器运行ZynOS,需要使用路由器工具提取。

下载后,我运行命令

python zynos.py unpack TDW8961N解压路由器固件。我现在要做的就是使用binwalk -Y file找出体系结构,然后将文件加载到IDA中并使用
https://wiki.openwrt.org/doku.php?id=oldwiki进行反汇编: openwrtdocs:hardware:zyxel:p_335wt找出从哪里开始ROM。